SPE CS Implementation Guide

Symantec™ Protection Engine
for Cloud Services 8.1

Implementation Guide
Symantec™ Protection Engine for Cloud Services
8.1 Implementation Guide
Legal Notice
Copyright © 2019 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of
Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks
of their respective owners.
This Symantec product may contain third party software for which Symantec is required to provide attribution
to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open
source or free software licenses. The License Agreement accompanying the Software does not alter any
rights or obligations you may have under those open source or free software licenses. Please see the
Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec
product for more information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying, distribution,
and decompilation/reverse engineering. No part of this document may be reproduced in any form by any
means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL
DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO
CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined
in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer
Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and
Commercial Computer Software Documentation," as applicable, and any successor regulations, whether
delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government
shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
https://www.symantec.com
Symantec Support
All support services will be delivered in accordance with your support agreement and the
then-current Enterprise Technical Support policy.
Knowledge Base Articles and Symantec Connect

Before you contact Technical Support, you can find free content in our online Knowledge Base,
which includes troubleshooting articles, how-to articles, alerts, and product manuals. In the
search box of the following URL, type the name of your product:
https://support.symantec.com
Access our blogs and online forums to engage with other customers, partners, and Symantec
employees on a wide range of topics at the following URL:
https://www.symantec.com/connect
Technical Support and Enterprise Customer Support

Symantec Support maintains support centers globally 24 hours a day, 7 days a week. Technical
Support’s primary role is to respond to specific queries about product features and functionality.
Enterprise Customer Support assists with non-technical questions, such as license activation,
software version upgrades, product access, and renewals.
For Symantec Support terms, conditions, policies, and other support information, see:
https://entced.symantec.com/default/ent/supportref
To contact Symantec Support, see:
https://support.symantec.com/en_US/contact-support.html
Contents
Symantec Support .............................................................................................. 4

Chapter 1 Introducing Symantec™ Protection Engine .................. 12
About Symantec™ Protection Engine for Cloud Services ...................... 12

About Centralized Console ............................................................. 13
What's new in Symantec Protection Engine 8.1 .................................. 13
What's changed in this release ........................................................ 14
Components of Symantec Protection Engine ...................................... 15
How Symantec Protection Engine works ........................................... 16
About automatic load balancing ................................................ 17
About supported protocols for Symantec Protection Engine ............ 17
What you can do with Symantec Protection Engine ............................. 18
Where to get more information ........................................................ 21
Information collected by Symantec Protection Engine .......................... 22
Onboarding to a centralized cloud console ........................................ 26
Chapter 2 Installing Symantec Protection Engine .......................... 28

Before you install Symantec Protection Engine ................................... 28
System requirements .................................................................... 29
System requirements to install Symantec Protection Engine on
Linux ............................................................................. 29
About installing Symantec Protection Engine ...................................... 32
About authentication modes in Symantec Protection Engine ........... 33
Installing Symantec Protection Engine on Linux ............................ 34
Upgrading Symantec Protection Engine on Linux .......................... 37
Symantec Protection Engine post-installation tasks ............................. 41
Verifying, stopping, and restarting the Symantec Protection Engine
daemon on Linux ............................................................ 41
Clearing the Java cache .......................................................... 42
Accessing the Symantec Protection Engine console ...................... 43
Enhancing security for the HTTPS servers and SSL servers ........... 45
Changing the console settings .................................................. 47
Editing user information ........................................................... 49
Managing user accounts .......................................................... 51
About security notice .............................................................. 57
Contents 6
Allocating resources for Symantec Protection Engine .................... 58

Migrating to version 8.1 ................................................................. 61
Uninstalling Symantec Protection Engine .......................................... 62
Chapter 3 Activating licenses .............................................................. 63

About licensing ............................................................................ 63
About license activation ................................................................ 65
If you do not have a serial number ............................................. 65
Obtaining a license file ............................................................ 65
Installing the license file ........................................................... 66
About removing license files ..................................................... 67
Checking the license status ...................................................... 68
About transaction-based metering .................................................... 68
Viewing the metering information on the console .......................... 69
Chapter 4 Configuring scanning services for client

applications .................................................................... 73
About the communication protocols .................................................. 73
Supported services by protocol ................................................. 74
About working with ICAP ................................................................ 75
Configuring ICAP options ......................................................... 76
About secure ICAP support in Symantec Protection Engine .................. 78
Chapter 5 Protecting against risks ..................................................... 79

About scanning for risks ................................................................. 79
About threat categorization and risk ratings ................................. 80
How Symantec Protection Engine detects risks ............................ 81
Configuring antivirus scan policy in Symantec Protection Engine ............ 82
Ways to test threat detection capabilities ..................................... 84
About quarantining files in Symantec Protection Engine ....................... 85
Configuring the quarantine in Symantec Protection Engine ............. 85
About preventing potential threats in Symantec Protection
Engine ................................................................................. 86
Configuring file name filtering in Symantec Protection
Engine ........................................................................... 87
Configuring true type file filtering in Symantec Protection
Engine ........................................................................... 89
Configuring file size filtering in Symantec Protection Engine ............ 89
About container files in Symantec Protection Engine ........................... 91
About unscannable files in Symantec Protection Engine ................. 91
Customizing notifications in Symantec Protection Engine ...................... 93
Contents 7
About Symantec Insight™ .............................................................. 95

How does Symantec Protection Engine use Symantec
Insight™ ........................................................................ 95
Enabling Symantec Insight™ policy ........................................... 95
Configuring the scanning aggression level ................................... 95
Excluding files from scanning based on file size ........................... 96
About Android Application (APK) Reputation ..................................... 97
Chapter 6 Monitoring and tuning the performance of

Symantec Protection Engine ...................................... 98
How to monitor Symantec Protection Engine performance .................... 98
Monitoring scanning requests ................................................... 98
Monitoring Symantec Protection Engine resources ...................... 102
Ways to improve Symantec Protection Engine performance ................ 107
Deployment considerations and recommendations ...................... 107
Enhance performance by limiting scanning ................................ 109
Configuration settings that can conserve and enhance
performance .................................................................. 115
Chapter 7 Filtering URLs ..................................................................... 117

About filtering URLs .................................................................... 117
About categories .................................................................. 118
How to filter a URL ...................................................................... 131
About the filtering modes ....................................................... 131
Denying access to URLs in URL categories ............................... 133
Managing local categories ...................................................... 134
Overriding a URL categorization .............................................. 137
Customizing the access denied message .................................. 138
About URL Reputation ................................................................. 139
Configuring URL Reputation ......................................................... 140
Chapter 8 Logging data, issuing alerts, and generating

reports ........................................................................... 141
About logging data ...................................................................... 141

Logging destinations ............................................................. 141
Logging levels and events ...................................................... 142
Specifying the log bind address ............................................... 145
About configuring local logging ...................................................... 146
Specifying the local logging level ............................................. 147
Changing the directory where log files are located ....................... 147
Changing the length of time that log files are maintained .............. 148
Contents 8
Enabling statistics reporting in Symantec Protection Engine .......... 149

Configuring logging to the Linux Syslog ........................................... 150
About configuring alerts ............................................................... 151
Activating SMTP alerts .......................................................... 151
Activating SNMP alerts .......................................................... 152
Configuring outbreak alerts ..................................................... 153
About reports ............................................................................. 155
Viewing the local log data ....................................................... 156
Exporting local log data to a file ............................................... 157
Viewing statistics log data ...................................................... 158
About summary report on Symantec Protection Engine home
page ............................................................................ 159
Chapter 9 Keeping your product up to date ................................... 163

About content updates ................................................................. 163
About definition updates ........................................................ 163
About updating your protection ................................................ 164
About LiveUpdate ....................................................................... 164
Configuring LiveUpdate to occur automatically ........................... 165
Performing LiveUpdate on demand .......................................... 166
About editing the LiveUpdate XML file ...................................... 166
About LiveUpdate logging ...................................................... 167
Rolling back URL definitions ......................................................... 169
About on demand rollback ...................................................... 170
Chapter 10 Working with the Core server only mode ..................... 171
About the Core server only mode ................................................... 172
About XMLModifier tool ......................................................... 173
XMLModifier options ............................................................. 174
Accessing the XML modifier command-line tool .......................... 177
Inactive XPaths .......................................................................... 177
Configuring ICAP options in the Core server only mode ...................... 181
Configuring the antivirus scan policy in the Core server only
mode ................................................................................. 182
Configuring APK Reputation in the Core server only mode .................. 183
Configuring the quarantine server in the Core server only mode ........... 184
Configuring file name filtering in the Core server only mode ................. 185
Configuring file size filtering in the Core server only mode ................... 187
Configuring true type file filtering in the Core server only mode ............. 188
Configuring Symantec Protection Engine to handle encrypted container
files in the Core server only mode ............................................ 190
Customizing notifications in the Core server only mode ...................... 191
Contents 9
Enabling Symantec Insight™ in the Core server only mode ................. 195
Configuring the scanning aggression level in the Core server only
mode ................................................................................. 196
Excluding files from scanning based on file size in the Core server only
mode ................................................................................. 197
Monitoring scanning requests in the Core server only mode ................ 198
Enabling resource consumption logging in the Core server only
mode ................................................................................. 200
Specifying the maximum file or message size to scan in the Core server
only mode ........................................................................... 201
Setting container file limits in the Core server only mode ..................... 202
Enabling URL filtering in the Core server only mode .......................... 204
Enabling URL Reputation in the Core server only mode ..................... 205
Denying access to URLs in URL categories in the Core server only
mode ................................................................................. 205
Customizing the access denied message in the Core server only
mode ................................................................................. 206
Specifying the log bind address in the Core server only mode .............. 207
Specifying the local logging level in the Core server only mode ............ 208
Changing the directory where log files are located in the Core server
only mode ........................................................................... 209
Changing the number of log file to be maintained in the Core server
only mode ........................................................................... 210
Enabling statistics reporting in the Core server only mode ................... 211
Configuring logging to the Linux Syslog in the Core server only
mode ................................................................................. 211
Activating SMTP alerts in the Core server only mode ......................... 212
Activating SNMP alerts in the Core server only mode ......................... 214
Configuring outbreak alerts in the Core server only mode .................... 216
Configuring LiveUpdate to occur automatically in the Core server only
mode ................................................................................. 219
Performing LiveUpdate on demand in the Core server only mode
......................................................................................... 221
About editing the LiveUpdate XML file ............................................. 221
Appendix A Performing a silent installation ...................................... 223

About silent installation and upgrade ............................................... 223
Implementing a silent installation in Linux ........................................ 223
Creating the response file ...................................................... 224
About initiating a silent installation using the response file ............. 229
Generating an encrypted password ................................................ 229
Contents 10
Appendix B Using the Symantec Protection Engine

commnad-line scanner ............................................... 230
About the Symantec Protection Engine command-line scanner ............ 230
Setting up a computer to submit files to Symantec Protection Engine
for scanning ........................................................................ 231
C-based command-line scanner syntax and usage ............................ 232
Supported command-line options for C-based command-line
scanner ........................................................................ 234
About specifying the Symantec Protection Engine IP address and
port for C-based command-line scanner .............................. 238
About specifying the antivirus scanning mode for C-based
command-line scanner .................................................... 239
About obtaining scan results for C-based command-line
scanner ........................................................................ 240
About requesting recursive scanning ........................................ 243
About disposing of infected files when an error occurs ................. 243
Excluding files from scanning .................................................. 244
Redirecting console output to a log file ...................................... 245
About scanning files in Symantec Protection Engine using different
services/APIs ................................................................ 245
About using Insight command options with C-based command-line
scanner ........................................................................ 246
Java based command-line scanner syntax and usage ........................ 247
Supported command-line options for Java based command-line
scanner ........................................................................ 248
port for Java based command-line scanner .......................... 251
About specifying the antivirus scanning mode for Java based
About obtaining scan results for Java based command-line
scanner ........................................................................ 253
services/APIs with Java based command-line scanner ........... 254
About using Insight command options with Java based
Appendix C About editing configuration data ................................... 257

About editing the Symantec Protection Engine configuration files .......... 257
About configuration options ........................................................... 258
Configure the ICAP response .................................................. 259
Configure the ICAP preview option ........................................... 260
Configure the secure ICAP options .......................................... 260
Contents 11
Enabling client certificate verification ........................................ 262

Control the dynamic thread pool .............................................. 262
Disable the ICAP threshold client notification .............................. 264
Change the LiveUpdate base time ........................................... 265
Configure the LiveUpdate server details .................................... 266
Specify a replacement file name .............................................. 267
Modify the ICAP options attribute-list extension .......................... 268
Access scan error files .......................................................... 269
Disable automatic self-test scanning ......................................... 269
Enable nonviral threat categories information ............................. 270
Specify maximum file size for extracted files .............................. 271
Specify maximum cumulative file size for extracted files ............... 271
Specify the maximum socket timeout value ................................ 272
Specify file size threshold for scanning exclusion ........................ 272
Include category information from ICAP response in URL
filtering ......................................................................... 273
Enable threat categories information ........................................ 273
Specify file path exclusion for scanning in Symantec Protection
Engine ......................................................................... 274
Configuring the additional parameters of URL Reputation ............. 276
Appendix D Return codes ...................................................................... 278
ICAP return codes ...................................................................... 278
Appendix E Common LiveUpdate error codes .................................. 279

Common LiveUpdate error codes ................................................... 279
Index ................................................................................................................... 281

Chapter 1
Introducing Symantec™
Protection Engine
This chapter includes the following topics:
■ About Symantec™ Protection Engine for Cloud Services
■ About Centralized Console
■ What's new in Symantec Protection Engine 8.1
■ What's changed in this release
■ Components of Symantec Protection Engine
■ How Symantec Protection Engine works
■ What you can do with Symantec Protection Engine
■ Where to get more information
■ Information collected by Symantec Protection Engine
■ Onboarding to a centralized cloud console
About Symantec™ Protection Engine for Cloud

Services
Symantec™ Protection Engine for Cloud Services is hereafter referred to as Symantec
Protection Engine.
Symantec Protection Engine is a carrier class content and URL scanning engine. Symantec
Protection Engine provides content scanning and URL filtering capabilities to any application
Introducing Symantec™ Protection Engine 13
About Centralized Console
on an IP network, regardless of its platform. Any application can pass files or URLs to Symantec
Protection Engine for scanning.
Symantec Protection Engine accepts scan requests from the client applications that use
following protocol:
■ The Internet Content Adaptation Protocol (ICAP), version 1.0, as presented in RFC 3507
(April 2003)
See “About supported protocols for Symantec Protection Engine” on page 17.
You can use the Symantec Protection Engine software development kit (SDK) or build your
own connector to integrate Symantec Protection Engine with your application. The SDK supports
version 1.0 of ICAP, as presented in RFC3507 (April 2003). Symantec also has developed
connector code for some third party applications to seamlessly integrate with Symantec
Protection Engine.
The Symantec Protection Engine Software Developers Guide provides information about how
to create customized integrations with ICAP.
See “Components of Symantec Protection Engine” on page 15.
See “How Symantec Protection Engine works” on page 16.
See “What you can do with Symantec Protection Engine” on page 18.
About Centralized Console

Symantec Protection Engine has the centralized console along with the existing web-based
interface, where you can manage multiple Symantec Protection Engine installations. You can
manage scanners and scan policies, create assets and alerts, and view the dashboards and
events on the centralized console.
You can initialize the on-boarding process to centralized console by using the cloud
management utility cloudmgmtutil that is available in the installation directory.
After the on-boarding process is complete, you must enroll all your Symantec Protection Engine
scanners that you want to manage from the centralized console.
See “Onboarding to a centralized cloud console” on page 26.
What's new in Symantec Protection Engine 8.1

Table 1-1 describes the new features in Symantec Protection Engine.
What's changed in this release
Table 1-1 New features
Feature Description
Support for non-archive files Symantec Protection Engine 8.1 supports the scanning of the
larger than 2 GB non-archive files that are larger than 2 GB. The support is limited to
2 GB in previous releases.
Latest Symantec technologies Symantec Protection Engine 8.1 is integrated with latest internal
Symantec scanning technologies.
Improved efficacy with the help of AML, x86 PE Emulator,

nonPE/Scripts, etc.
Enhanced LiveUpdate Internal critical fixes are now delivered through LiveUpdate.
Improved in-memory file system Symantec Protection Engine uses the system memory to stream and
scan the files. Now, the memory size is no more limited to 4 GB.
What's changed in this release

Table 1-2 describes the features that are excluded in Symantec Protection Engine 8.1.
Table 1-2 Excluded from this release
Feature Description
Malformed container file detection Malformity is not reported anymore as it is not considered as a
threat.
Malware repair Malware repair is not supported in this release.
Insight details ■ ICAP changes

■ X-File-Insight-Info tag is not available in ICAP response.
■ Insight details such as age, reputation, prevalence, and SHA
are not available in ICAP response.
■ Log changes
■ Insight details such as age, reputation, prevalence, and SHA
are not available in logs.
APK reputation APK reputation is now reported like threats. Earlier it used specific
IDs.
Rapid Release and Intelligent Updating definitions using Rapid Release and Intelligent Update is
Update not supported in this release. You must use LiveUpdate to update
the definitions.
Components of Symantec Protection Engine
Table 1-2 Excluded from this release (continued)
Feature Description
Email Filtering Filtering emails based on subject line and message origin is not
supported int his release.
See “Inactive XPaths” on page 177.
Components of Symantec Protection Engine

Table 1-3 lists the components that are included in the Symantec_Protection_Engine.zip file.
Table 1-3 Product components
Component Description Folder name
Symantec Protection Engine The software that you install to protect Symantec_Protection_Engine\
your network from threats (such as
viruses), security risks (such as
adware and spyware), and unwanted
content.
Silent installation The files that you can use to perform Symantec_Protection_Engine\
a silent installation. Also includes Silent_Install\
response files for Red Hat.
Command-line scanner The software that acts as a client to Command_Line_Scanner\

Symantec Protection Engine through
the Symantec Protection Engine
application programming interface
(API). The command-line scanner lets
you send files to Symantec Protection
Engine to be scanned.
Symantec Protection Engine The tools and documentation that you Symantec_Protection_
software developer's kit can use to create the customized Engine_SDK\
integrations that use ICAP.
Table 1-4 lists the components that are included in the Symantec_Protection_Engine_Tools.zip
file.
How Symantec Protection Engine works
Table 1-4 Product components
Component Description Folder name
Symantec Central The tool that you use to quarantine Tools\Central_Quarantine\

Quarantine server infected files when you use the ICAP
protocol. Symantec Central Quarantine
server lets you isolate infected files so
that threats cannot spread.
MIB file The Management Information Base Tools\MIB\symantecprotection

(MIB)file (symantec engine.mib
protectionengine.mib) is located
in the MIB directory in the Symantec
Protection Engine Tools zip file. You
can use this file to configure SNMP
alerts.
LiveUpdate Log Config files The LiveUpdate Log Config folder Tools\LiveUpdate_Log_Config\
contains the various configuration files
to enable LiveUpdate logging on all
platforms.
Centralized Log Collection Use centralized log collection utility to Tools\Centralized_Log_Collection_Utility

Utility collect data for each Symantec
Protection Engine computer. It also
generates a report in human readable
format for all Symantec Protection
Engine computers.
Adobe Acrobat Reader is required to view the reports that are generated in .pdf format. You
can download Adobe Acrobat Reader from http://www.adobe.com/.

You can use one of the SDKs or build your custom application that supports ICAP to connect
to Symantec Protection Engine.
You can create a custom integration using any of the following ways:
■ Client-side application programming interface (API) C library
If you plan to integrate content scanning, you can use the Symantec Protection Engine
API.
■ Client-side application programming interface (API) Java library
API.
■ Client-side application programming interface (API) .Net library

API.
■ Standard ICAP, based on the specification that is presented in RFC 3507 (April 2003)
For more information, see the Symantec Protection Engine Software Developer's Guide.
You can configure client applications to pass files to Symantec Protection Engine through one
of the supported communication protocols. You can configure Symantec Protection Engine to
scan only the files that it receives from the client application. The client application must decide
which files to scan and what to do with the results.
You might need to configure the third party application to add threat, security risk, and URL
filtering. Consult any documentation that is included with the connector in addition to this guide.
About automatic load balancing

The Symantec Protection Engine APIs provide load balancing across multiple computers that
run Symantec Protection Engine. Client applications that pass files to Symantec Protection
Engine benefit from load-balanced scanning without any additional effort. If you use multiple
protection engines, the API determines which protection engine receives the next file to be
scanned based on a scheduling algorithm.
If any Symantec Protection Engine cannot be reached or fails during a scan, another Symantec
Protection Engine is called. The faulty Symantec Protection Engine is taken out of rotation for
a period of time. If all of the Symantec Protection Engines are out of rotation, the faulty
Symantec Protection Engines are called again.
When the number of queued requests for a Symantec Protection Engine exceeds its threshold,
Symantec Protection Engine rejects the scan request. It notifies the client that the server has
reached the queued request threshold. The client can then adjust the load balancing, which
prevents the server from being overloaded with scan requests. This feature lets the client
applications that pass files to Symantec Protection Engine benefit from load-balanced scanning
without any additional effort.
See “Allocating resources for Symantec Protection Engine” on page 58.
See “Disable the ICAP threshold client notification” on page 264.
The API tries to contact Symantec Protection Engine five times within the pool of available
Symantec Protection Engines.
About supported protocols for Symantec Protection Engine

Client applications can use the following protocol to send scan requests to Symantec Protection
Engine.
What you can do with Symantec Protection Engine
Table 1-5 Supported protocols
Protocol Description
Internet Content ICAP is a lightweight protocol for executing a remote procedure call on HTTP
Adaptation Protocol messages. ICAP is part of an architecture that lets corporations, carriers, and
(ICAP) ISPs dynamically scan, change, and augment Web content as it flows through
ICAP servers. The protocol lets ICAP clients pass HTTP messages to ICAP
servers for adaptation. Adaptation might include some sort of transformation or
other processing, such as scanning or content filtering. The server executes its
transformation service on the messages and responds to the client, usually with
modified messages. The adapted messages might be either HTTP requests or
HTTP responses.
In a typical integration, a caching proxy server retrieves the requested information

from the Web. It caches the information and serves multiple requests for the
same Web content from the cache, where possible. A caching proxy server can
use ICAP to communicate with Symantec Protection Engine. It can also request
the scanning of the content that is retrieved from the Web.
See “About working with ICAP” on page 75.
Symantec Protection Engine supports secure ICAP communication.
See “About secure ICAP support in Symantec Protection Engine” on page 78.
See “Supported services by protocol” on page 74.

Table 1-6 lists the tasks that you can perform with Symantec Protection Engine.
Table 1-6 What you can do with Symantec Protection Engine
Task Description
Configure protocols to You can change the communication protocol that Symantec Protection Engine
pass files to Symantec uses to communicate with the client applications for which it provides scanning
Protection Engine for services. The features that are available through Symantec Protection Engine
scanning differ depending on the protocol that you use.
You can use the following protocol:
■ ICAP
After you select a protocol, you must provide the configuration information
specific to the protocol. The configuration options differ depending on the protocol
that you select.
See “About the communication protocols” on page 73.

Table 1-6 What you can do with Symantec Protection Engine (continued)
Task Description
Detect threats You can configure Symantec Protection Engine to scan files and email messages
for threats, such as viruses and Trojan horses. You can configure the policies
to process the documents that contain threats. You can also quarantine the
infected files.
See “Configuring antivirus scan policy in Symantec Protection Engine”

on page 82.
See “About quarantining files in Symantec Protection Engine ” on page 85.
Prevent potential You can filter files and email messages to further protect your network.
threats
See “Configuring file size filtering in Symantec Protection Engine” on page 89.
See “Configuring file name filtering in Symantec Protection Engine” on page 87.
Symantec Protection Engine can also block certain types of the container files
that might contain threats or malicious code.
See “About container files in Symantec Protection Engine ” on page 91.
Detect security risks Symantec Protection Engine can detect security risks such as: adware, dialers,
hacking tools , joke programs, remote access programs, spyware, and trackware.
You can also quarantine the infected files.
Prevent Symantec Protection Engine protects your network from the file attachments
denial-of-service that can overload the system and cause denial-of-service attacks.
attacks Denial-of-service attacks can include any of the following types of container
files:
■ Files that are overly large

■ Files that contain large numbers of embedded, compressed files
■ Files that are designed to maliciously use resources and degrade
performance.
To reduce your exposure to denial-of-service threats, you can impose limits to

control how Symantec Protection Engine handles container files.
See “Setting container file limits” on page 113.
Specify the files to scan You can conserve bandwidth and time if you limit the files and messages that
are scanned.
See “Specifying which files to scan” on page 110.
See “Specifying the maximum file or message size to scan” on page 113.
Task Description
Filter HTTP requests If your client uses ICAP, you can apply Uniform Resource Locator (URL) filtering
for unwanted content to block access to sites that contain unwanted content. Symantec Protection
Engine uses Symantec URL categories and Child Abuse Image Content (CAIC)
URL categories to scan and block the unwanted URLs.
See “About categories” on page 118.
Customize user Symantec Protection Engine lets you customize messages to users to notify
notifications them when a file has been infected or deleted. You can add the text to the body
of a replacement file for a deleted attachment.
See “Customizing notifications in the Core server only mode” on page 191.
See “Customizing the access denied message” on page 138.
Log events and review Symantec Protection Engine can send events to several logging destinations.
event data and You can activate logging to each available destination when you select the
statistics logging level that you want for that destination. You can then choose the logging
levels for which Symantec Protection Engine generates log messages.
Use the Symantec Protection Engine reporting functionality to view your log
data and statistics.
See “About logging data” on page 141.
Issue alerts Symantec Protection Engine can send alerts through Simple Mail Transfer
Protocol (SMTP) and Simple Network Management Protocol (SNMP).
You also can activate outbreak alerts. Symantec Protection Engine can issue
alerts when a certain number of the same types of threat or violations occur in
a given time interval. Outbreak alerts provide an early warning of a potential
outbreak so that you can take the necessary precautions to protect your network.
See “About configuring alerts” on page 151.
Monitor Symantec You can monitor Symantec Protection Engine to ensure that it operates at an
Protection Engine optimal level for your environment. Continual monitoring ensures that you can
performance make the necessary adjustments as soon as you detect a degradation in
performance.
See “How to monitor Symantec Protection Engine performance” on page 98.
Keep your protection You can update your content for Symantec Protection Engine. Content updates
up-to-date ensure that your network is up-to-date with the most current risk and URL
definitions. You also can update Symantec Protection Engine with the latest
definitions without any interruption to scanning or filtering operations.
See “About content updates” on page 163.

Where to get more information
Task Description
Perform tasks from the The command-line scanner acts as a client to Symantec Protection Engine
command-line scanner through the Symantec Protection Engine API. Use the command-line scanner
to send files to Symantec Protection Engine to be scanned for threats.
The command-line scanner also lets you take the following actions:
■ Recursively descend into the subdirectories to scan multiple files

■ Provide output information about the command-line scanner and protection
engine operation.
See “About the Symantec Protection Engine command-line scanner” on page 230.
Where to get more information

Symantec Protection Engine includes new cloud-based online help system called Unified Help
System (UHS). The topics are categorized into the buckets and you can search for keywords.
Context-sensitive help is available for each page in the Symantec Protection Engine standalone
as well as centralized console.
Symantec Protection Engine 8.1 UHS is available at the following
location:https://help.symantec.com/home/spe_8_1?locale=EN_US
You can visit the Symantec Web site for more information about our product.
The following online resources are available:
Provides access to the technical support https://support.symantec.com/en_US.html

Knowledge Base, newsgroups, contact
information, downloads, and mailing list
subscriptions
Provides information about registration, http://customersupport.symantec.com/

frequently asked questions, how to respond to
error messages, and how to contact Symantec
License Administration
Provides product news and updates https://www.symantec.com/
Provides access to the Virus Encyclopedia, https://www.symantec.com/security_response/

which contains information about all known
threats, information about hoaxes, and access
to white papers about threats
Information collected by Symantec Protection Engine

Automatically collected and transmitted information at install-time
Symantec Protection Engine collects from your environment, and automatically transmits to
Symantec, the following data, without limitation:
■ Licensed software version
■ SKU
■ OS name, version, and language
■ UniqueSSEID
■ Memory and disk size
■ Hashed domain name
■ Deployment use case (e.g., mail, web proxy)
■ Status of URL filtering feature (whether enabled or disabled)
■ Status of Symantec Insight (reputation) functionality (whether enabled or disabled) which
uses a security technology that puts files in context using age, frequency, location, and
more to expose threats otherwise missed
■ URL of the portable executable file being scanned
■ AppName
■ Guid
■ Timestamp
■ Product name
■ Language
■ Module error
■ Module name
■ Build
■ Architecture
■ InstallPath
■ InstallType
■ Locale
■ ProcessorCoreCount
■ TotalFreeMemoryInMB
■ FreeDiskSpaceInGB
■ TotalMemoryInMB
■ TotalUsedMemoryInMB
■ VendorName
■ VirtualGuest
Automatically collected and transmitted information at run-time

Symantec Protection Engine sends run-time telemetry data that contains the following details
to Symantec:
■ TotalFilesScanned
■ Threats
■ FilesScanned
■ TotalMegabytesScanned
■ MegabytesScanned
■ URLsScanned
■ URLsBlocks
■ APKReputationViolations
■ Product name
■ Licensed software version
■ Build
■ Language
■ Module error
■ Module name
■ UniqueSSEID
■ AppName
■ Deployment
■ DomainNameHash
■ InstallType
■ Reputation
■ SKU
■ Threats
■ URL
Symantec collects this telemetry data to know about the threats, APK violations, and blocked
URLs from the overall files and URLs scanned.
The details are sent on 1st day of every month if Symantec Protection Engine is running on
that day. If Symantec Protection Engine is not running on the first of the month, report for that
month is not sent.
Automatically collected and stored data

Symantec Protection Engine may collect from your environment, and store in your environment,
the following data, without limitation:
■ Quarantined files on a quarantine server (if configured)
■ Conviction metadata, including user name, computer name, file name, and IP address
■ Internet Protocol (IP) address and/or Media Access Control address and the machine ID
of the system on which the licensed software is installed
■ Source IP address; and/or URL of the portable executable file being scanned.
The stored data may be transmitted to Symantec only if you choose to do so, either manually
or by configuring Symantec Protection Engine. Transmitting stored data to Symantec is optional,
and you will be able to use Symantec Protection Engine even if you do not transfer this data
to Symantec.
How is your data used?

Your transmitted data, stored data and/or personal information (collectively, “Information”) may
be used as follows:
■ Enabling and optimizing the performance of Symantec Protection Engine
■ Providing support or debug assistance
■ Research and development, such as improving Symantec’s products or services (e.g., to
protect your network, end-users, devices and/or data)
■ License administration
■ Combating actual or potential fraudulent, criminal, illegal, or unauthorized activity
■ For any other purpose with your consent; and/or
■ In an anonymized and/or aggregated form for general security research purposes of
statistical analysis of product deployment, including analysis of trends and comparisons in
our aggregated install base.
For purposes of this Privacy Notice, “personal information” means the information that can be
used to reasonably identify an individual. We may also collect your personal information when
you contact us about any Symantec product or service, such as for technical support.
Storing or retaining your information

We are a global organization and may transfer your Information to other countries, including
countries that may have less protective data protection laws than the country in which you are
located (including the European Union). For the purposes described in this Privacy Notice,
your Information may be stored or processed manually and/or electronically through global
systems and tools. Your Information may also be retained if necessary to combat actual or
potential fraudulent, criminal, illegal or unauthorized activity, or as otherwise required or
permitted by law.
Disclosing your information
We may disclose your information (i) to vendors or third parties that process data on behalf of
Symantec; (ii) in connection with any proposed or actual sale or other transfer of some or all
assets of Symantec in the event of a reorganization, merger, acquisition, or sale of our assets;
and/or (iii) as otherwise permitted by you.
To promote research, awareness, detection, or prevention of security risks, Symantec may
disclose Information to relevant public and/or private entities, such as cybersecurity research
organizations and security software vendors. In such cases, we will endeavor to anonymize
such information or to minimize any personal information in it to the extent reasonably possible
without defeating purposes of security risk research, awareness, detection, or prevention.
Subject to applicable laws, Symantec reserves the right to cooperate with any legal process,
or any law enforcement or other government inquiry, related to your use of Symantec Protection
Engine, including disclosing Information if relevant to a court subpoena or to a law enforcement
or other government investigation, or as otherwise required by our legal obligations.
How we protect your information
To protect Information, we have taken reasonable and appropriate administrative, technical,
organizational and physical security and risk management measures, in accordance with
applicable laws.
Your obligation to personal information
It is your responsibility to ensure that any disclosure by you to Symantec of personal information
of your users or third parties is in compliance with applicable privacy and data security laws,
including informing users and third parties that you are providing their personal information to
Symantec, informing them of how it will be transferred, used or processed, and gathering
appropriate consents or other legal measures required for such transfer, use or processing.
Data access
Under certain circumstances and subject to this Privacy Notice, you may be able to request
to access, update, correct, or remove personal information we have about you.
Contact us
Please contact us at privacyteam@symantec.com if you have any questions.
Onboarding to a centralized cloud console
Changes to this Privacy Notice

We reserve the right to revise or modify this Privacy Notice, and will note the date of its most
recent revision above. If we make significant changes to this Privacy Notice, and where required
by applicable law, we will either notify you either by prominently posting a notice of such
changes prior to implementing the changes or by directly sending you a notification.

In Symantec Protection Engine 8.0 and later, you can use centralized cloud console where
you can manage multiple Symantec Protection Engine instances. After you install the Symantec
Protection Engine, you must create an account with the Symantec Security Cloud platform to
start using the console. You must have a valid Symantec Protection Engine license file (.slf)
that can be paid or a trial license.
Step 1 Install Symantec Protection Engine 8.0 or later with a valid trial or paid license.
See “About licensing” on page 63.
Step 2 Initiate the on-boarding process using the cloudmgmtutil utility that is available
in the Symantec Protection Engine installation directory.
See “To create an account for centralized cloud console” on page 26.
Step 3 Provide the required details in the form and create an account.
See “To create an account for centralized cloud console” on page 26.
To create an account for centralized cloud console

1 Log on to the Symantec Protection Engine computer as a root user.
2 Navigate to Symantec Protection Engine installation directory.
The default installation directory is:
■ Linux: /opt/SYMCScan/bin
3 On Linux, you must configure the LD_LIBRARY_PATH environment variable to the Symantec
Protection Engine installation directory before you run cloudmgmtutil utility. Execute the
following command for the same:
export LD_LIBRARY_PATH=/opt/SYMCScan/bin:$LD_LIBRARY_PATH
echo $LD_LIBRARY_PATH
4 You must have a valid Symantec Protection Engine license file (.slf) that can be paid or
trial license.
Ensure that the default license directory does not contain any other Symantec Protection
Engine licenses. The default license directory is:
■ Linux: /opt/Symantec/Licenses
5 Execute the following command to initiate the onboarding process.

■ If you have a valid license already installed on the Symantec Protection Engine
computer:
■ For Linux: ./cloudmgmtutil -onboard
■ If you have a valid license file, but is not yet installed on Symantec Protection Engine
computer:
■ For Linux: ./cloudmgmtutil -onboard -lf [licensefile]
Where [-licensefile] is the location of the license file (.slf).
This command installs the license file on the Symantec Protection Engine computer
and initiates the onboarding process. However, you must restart the Symantec
Protection Engine service manually to apply the license.
6 The command generates the URL. Copy the URL and paste it in the browser.
Note: Ensure that you copy the complete URL.
7 A Welcome to Symantec Protection Engine Onboarding page appears. Read the

exclusive capabilities of Symantec Protection Engine when accessed through the
centralized console, and click Acknowledge & Continue.
8 Provide the required details in the Create Account form.
9 Read and accept the Symantec privacy policy and click Create Account.
10 You receive an email with the logon credentials of the centralized console. Follow the
instructions in the email to log on to the centralized console.
Chapter 2
Installing Symantec
Protection Engine
■ Before you install Symantec Protection Engine
■ System requirements
■ About installing Symantec Protection Engine
■ Symantec Protection Engine post-installation tasks
■ Migrating to version 8.1
■ Uninstalling Symantec Protection Engine
Before you install Symantec Protection Engine

Install Symantec Protection Engine on a computer that meets the system requirements. Before
you install Symantec Protection Engine, install and configure the operating system software
and applicable updates for your server. Also ensure that your operating system software and
server work correctly. For more information, see the documentation for your server.
See “System requirements” on page 29.
Before you install Symantec Protection Engine, take the following steps:
■ Install 64-bit Java Runtime Environment (JRE) 8.0 Update 111 or later and JRE 10.0 or
later on Linux platform server.
■ On Linux operating system, ensure that hostname value is configured in /etc/hosts.
For example, <IP_Addr> Hostname.domain.com Hostname
Installing Symantec Protection Engine 29
System requirements
■ Disable any third party antivirus products that are running on the server on which you plan
to install Symantec Protection Engine. You can turn on antivirus protection after installation
is complete.
Symantec Protection Engine scans the files that client applications pass to Symantec
Protection Engine. Symantec Protection Engine does not protect the computer on which
it runs. Since Symantec Protection Engine processes the files that might contain threats,
the server on which it runs is vulnerable if it has no real-time protection.
Use an antivirus program to protect the server on which Symantec Protection Engine runs,
such as Symantec Endpoint Protection. To prevent scanning conflicts, configure the antivirus
program not to scan the temporary directory that Symantec Protection Engine uses for
scanning.
■ Review the deployment considerations and recommendations. These recommendations
can enhance your overall performance.
See “Deployment considerations and recommendations” on page 107.
After you complete the installation, perform the post-installation tasks.
See “Symantec Protection Engine post-installation tasks” on page 41.
System requirements
Before you install Symantec Protection Engine, verify that your server meets the minimum
system requirements.
■ System requirements to install Symantec Protection Engine on Linux
For Symantec Protection Engine platform support matrix, see the following pages:
■ Symantec Protection Engine for Cloud Services
https://support.symantec.com/en_US/article.DOC11401.html
■ Symantec Protection Engine for Network Attached Storage
https://support.symantec.com/en_US/article.DOC11402.html
System requirements to install Symantec Protection Engine on Linux

The minimum system requirements to install Symantec Protection Engine on Linux are as
follows:
Operating ■ Red Hat Enterprise Linux Server 6.8 (64-bit) or later

system ■ Red Hat Enterprise Linux Server 7.0 (64-bit) or later
■ CentOS Linux 7.1 (64-bit) or later
Ensure that your operating system has the latest service patches available.
Processor Intel or AMD Server Grade Single Processor Quad Core systems or higher
System requirements
Memory 16 GB RAM or higher
Disk space 40 GB of hard disk space
60 GB of hard disk space for using URL Filtering feature
Hardware ■ Network interface card (NIC) running TCP/IP with a static IP address
■ Internet connection to update definitions
■ 100 Mbps Ethernet link (1 Gbps recommended)
System requirements
Software ■ Ensure that the following packages are installed:

■ 64-bit zlib library package
■ GNU sharutils-4.6.1-2 or later
■ 64-bit GNU libuuid-2.17.2-6 or later
■ ncompress-4.2.4-44 or later
■ 64-bit GNU C Library (glibc) 2.17.260 or later
■ Initscripts
This package is required for Red Hat Linux only.
■ pidof
This package is required to find the process IDs of the running programs.
■ 64-bit Java Runtime Environment (JRE) 8.0 Update 111 or later and JRE 10.0 or
later
■ We recommend that you use the latest JRE version to avoid any known
vulnerabilities.
■ JRE is required only if you plan to operate Symantec Protection Engine in the
Core server with user interface mode.
■ Install JRE using Red Hat Package Manager (RPM). Ensure that you note the
installation location. You must provide the location of the JRE if the installer is
unable to detect it.
■ To know about the operating systems that JRE 10.0.2 (64-bit) supports, refer
to the official Oracle documentation or Symantec Protection Engine Java Support
Matrix.
■ One of the following Web browsers to access the Symantec Protection Engine
console:
■ Microsoft Internet Explorer 11 or later
Use Microsoft Internet Explorer to access the Symantec Protection Engine
console from a Windows client computer.
Note: If you are using 64-bit Internet Explorer browser, you must add the
following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\MAIN] "TabProcGrowth"=dword:00000000
■ Mozilla Firefox 32-bit (Extended Support Release) 45 or later
Use Mozilla Firefox to access the Symantec Protection Engine console from a
Linux client computer.
The Web browser is required only for Web-based administration. You must install
the Web browser on a computer from which you want to access the Symantec
Protection Engine console. The computer must have access to the server on which
Symantec Protection Engine runs.
Note: If any of the above package binary is already present on the computer and if the
installer is still unable to find it, you can add the path to the binary in
LD_LIBRARY_PATH environment variable.
About installing Symantec Protection Engine
Hypervisor ■ Windows 2008 R2 Hyper-V

support ■ Windows 2012 Hyper-V
■ VMware vsphere 5.5 or later
■ VMware vsphere 6.0 or later
The following Linux guest operating systems have been certified on Hyper-V:
■ Red Hat Enterprise Linux Server 6.8 (64-bit) or later

■ Centos 7.1 or later
See “Installing Symantec Protection Engine on Linux” on page 34.

The Symantec Protection Engine installer checks for the previous version of the product before
installing or upgrading to a newer version. The results of the check determine what happens
next.
Table 2-1 describes the action taken by the installer when no previous version is installed or
an existing version of Symantec Protection Engine is installed.
Table 2-1 Installer check results
Version Action taken by installer
No previous version is detected A full installation is performed.
Version 8.0.x is detected Symantec Protection Engine 8.1 supports an upgrade from version
8.0.x. You can choose to upgrade the product and preserve your
existing settings or perform a clean upgrade. If you choose to do a
clean upgrade, the installer removes the previous version, and then
installs the newer version as a full installation, without preserving any
previous settings.
previous settings
previous settings.
Table 2-1 Installer check results (continued)
Version Action taken by installer
Version 7.5 is detected Symantec Protection Engine does not support direct upgrades from
version 7.5.x. You must first migrate to version 7.8.0.
A separate utility to migrate from 7.5.x to 7.8.0 is provided.
For more information, see the Symantec Protection Engine 7.8.0

Migration Utility at the following location:
https://support.symantec.com/en_US/article.INFO3603.html
Version 7.0 is detected Symantec Protection Engine does not support direct upgrades from
version 7.0.x. You must first upgrade to version 7.5.x.
After you install Symantec Protection Engine, activate all applicable licenses. If you upgrade
from a previous version that has valid licenses, when the installation is complete, Symantec
Protection Engine automatically recognizes these licenses.
Symantec Protection Engine is shipped with the minimum set of URL definitions. If you want
to use URL filtering feature, ensure that you run LiveUpdate and get the latest URL definitions
before you start URL filtering.
See “About filtering URLs” on page 117.
If Symantec Protection Engine fails to start before it can initiate standard logging, information
about the failure is written to the abort log file (SymantecProtectionEngineAbortLog.txt). This
file is located in the installation directory (/opt/SYMCScan).
If you need to install or upgrade multiple Symantec Protection Engines on your network, you
can use the silent installation or upgrade feature to facilitate the process.
See “About silent installation and upgrade” on page 223.
See “About authentication modes in Symantec Protection Engine” on page 33.
About authentication modes in Symantec Protection Engine

During installation of Symantec Protection Engine, you can choose the following authentication
mode for accessing the Symantec Protection Engine console.
Symantec Protection Engine-based authentication Users can access the Symantec Protection Engine
console using Symantec Protection Engine user
password.
This authentication mode is available for

non-Windows platforms.
See “About installing Symantec Protection Engine” on page 32.

Installing Symantec Protection Engine on Linux

You can install Symantec Protection Engine to run with the rights and privileges of a system
user other than root or superuser.
Note: After the installation, Symantec Protection Engine starts LiveUpdate to download the
latest definitions. Definitions download may take some time depending on your network
bandwidth. Symantec Protection Engine service is available for scanning after the LiveUpdate
is completed successfully.
Select one of the following procedures for the type of installation or upgrade that you want to
perform:
■ First time product installation
See “To install Symantec Protection Engine on Linux” on page 34.
■ Upgrade from a previous version
See “Upgrading Symantec Protection Engine on Linux” on page 37.
■ Perform a clean upgrade
Uninstalls your current version of Symantec Protection Engine and installs the newer
version.
See “Configuring clean upgrade installation options on Linux” on page 37.
■ Perform a preserved settings upgrade
Uninstalls your current version of Symantec Protection Engine and installs the newer
version, while preserving your existing settings.
See “Configuring preserve settings upgrade installation options on Linux” on page 40.
To install Symantec Protection Engine on Linux

1 Log in to the computer on which you want to install Symantec Protection Engine as root.
2 Change directories to the location where the SymantecProtectionEngine.sh file is located
in the product.zip file.
<drive>:/Symantec_Protection_Engine/RedHat/
3 Type the following command:
./SymantecProtectionEngine.sh
4 Press y to continue with the interactive installation.

5 After you review with the Symantec License Agreement , press y to indicate that you
agree with the terms of the agreement.
If you indicate n, the installation is canceled.
6 When prompted for the application type that closely resembles your deployment with
Symantec Protection Engine, select one of the following:
■ 0 for Email Server
■ 1 for Proxy/Web cache server
■ 2 for Other Application
If you select 2, enter the application name.
Note: The maximum length of the application name can be upto 40 characters.
7 Select the location to install Symantec Protection Engine, and then press Enter.
The default location is /opt/SYMCScan.
8 When you are prompted whether you want Symantec Protection Engine to run as root,
select one of the following settings:
y Symantec Protection Engine is installed to run as root.
n Symantec Protection Engine is installed not to run as root.
Default setting.
9 If you selected not to run Symantec Protection Engine as root, type the user account that
you want to use.
The user account must already exist.
10 Press y to specify if you want to enable URL filtering and download URL definitions.
To change the setting after installation, go to Policies > Filtering > URL to enable this
option.
11 Press y to specify if you want to enable URL Reputation and download URL Reputation
definitions.
See “Configuring URL Reputation ” on page 140.
See “Enabling URL Reputation in the Core server only mode ” on page 205.
12 To specify whether you want to use the user-interface console in Symantec Protection
Engine, select one of the following options:
y Select this option if you want to use the user-interface console of Symantec
Protection Engine.
Symantec Protection Engine automatically detects Java installed on your

computer. If Java is not detected on your computer, you must specify the
location where 64-bit Java Runtime Environment (JRE) 8.0 Update 111 or
later is located.
Proceed to step 13.
n Select this option if you do not want to use the user-interface console of
Symantec Protection Engine.
Proceed to step 16.
13 Select the port number on which the Web-based console listens.

The default port number is 8004. If you change the port number, use a number that is
greater than 1024 that is not in use by any other program or service. You can disable the
console by typing 0. If you disable the console, you can configure Symantec Protection
Engine by editing the configuration data XML file.
14 Specify the Secure Socket Layer (SSL) port number on which encrypted files are
transmitted for increased security.
The default SSL port number is (8005). If this port is already in use, specify an SSL port
that is not in use by any other program or service. Use a port number that is greater than
1024.
15 Type a password for the administrative account, and then confirm the password by typing
it again.
16 Select the aggression level from the following options. The aggression level defines the
detection aggression level of antimalware technologies.
■ 0 for Known Bad
■ 1 for Low
■ 2 for Medium
■ 3 for High
The installer proceeds from this point with the installation.

Upgrading Symantec Protection Engine on Linux

You can upgrade Symantec Protection Engine from a previous version to newer version. You
can either preserve existing settings or uninstall previous version to install the newer version.
See “Configuring clean upgrade installation options on Linux” on page 37. to upgrade Symantec
Protection Engine using the clean upgrade installation option.
to upgrade Symantec Protection Engine using the preserve settings upgrade installation option.
Configuring clean upgrade installation options on Linux

The clean upgrade option uninstalls the previous version of Symantec Protection Engine and
installs the newer version.
To configure clean upgrade installation options on Linux
<drive>:\Symantec_Protection_Engine\RedHat\

agree with the terms of the agreement.
If you indicate n, the installation is canceled.
6 Select 1 for the Clean upgrade option.
Existing settings are not preserved.
7 When prompted for the application type that closely resembles your deployment with
Symantec Protection Engine, select one of the following:

If you select 2, enter the application name.
Note: The maximum length of the application name can be upto 40 characters.
8 Select the location to install Symantec Protection Engine, and then press Enter.
9 When you are prompted whether you want Symantec Protection Engine to run as root,
select one of the following settings:
y Symantec Protection Engine is installed to run as root.
n Symantec Protection Engine is installed not to run as root. Default setting.
10 If you selected not to run Symantec Protection Engine as root, type the user account that
you want to use.
The user account must already exist.
11 Press y to specify if you want to enable URL Filtering and download URL Filtering
definitions.
option.
For Core server only mode: See “Enabling URL filtering in the Core server only mode ”
on page 204.
12 Press y to specify if you want to enable URL Reputation and download URL Reputation
definitions.
option.
For Core server only mode: See “Enabling URL Reputation in the Core server only mode
” on page 205.
Protection Engine.

computer. If Java is not detected on your computer, you must specify the
location where 64-bit Java Runtime Environment (JRE) 8.0 Update 111 or later
is located..
Proceed to step 14.
Proceed to step 17.
14 Specify the port number on which the Web-based console listens.

See “About editing the Symantec Protection Engine configuration files” on page 257.
1024.
16 Type a password for the administrator account, and then confirm the password by typing
it again.
17 Select the scanning aggression level from the following options. The aggression level
defines the detection aggression level of antimalware technologies.
■ 0 for Known Bad
■ 1 for Low
■ 2 for Medium
■ 3 for High
The installer proceeds from this point with the installation.
See “Upgrading Symantec Protection Engine on Linux” on page 37.

Configuring preserve settings upgrade installation options on Linux

The preserved settings upgrade options uninstalls the existing version of Symantec Protection
Engine and installs the version to which you want to upgrade Symantec Protection Engine.
If you are upgrading from version 5.x to version 7.x, you are required to type the virtual
administrator account password due to introduction of stronger ciphers.
To configure Symantec Protection Engine with preserved settings upgrade installation options
on Linux
<drive>:\Symantec_Protection_Engine\RedHat\

agree with the terms of the agreement. If you indicate n, the installation is canceled.
6 Select 2 for the Upgrade preserving existing settings option. Existing settings are preserved.
Protection Engine.

computer. If Java is not detected on your computer, you must specify the location
where 64-bit Java Runtime Environment (JRE) 8.0 Update 111 or later is located.
Proceed to step 8.
Proceed to step 10.
Note: Steps 7 to 10 are not applicable if you are upgrading from Symantec Protection
Engine 7.9.0.
Symantec Protection Engine post-installation tasks
8 Specify the port number on which the Web-based console listens.

1024.
10 Type a password for the administrator account, and then confirm the password by typing
it again.

The Symantec Protection Engine post-installation tasks are as follows:
■ Verifying, stopping, and restarting the Symantec Protection Engine daemon on Linux
■ Clearing the Java cache
■ Accessing the Symantec Protection Engine console
■ Enhancing security for the HTTPS servers and SSL servers
■ Allocating resources for Symantec Protection Engine
Verifying, stopping, and restarting the Symantec Protection Engine

daemon on Linux
Symantec Protection Engine starts automatically as a daemon when the installation is complete.
A transcript of the installation is saved as /var/log/SYMCScan-install.log for later review. You
can verify whether the service is running after you install the product.
You might need to stop and restart the Symantec Protection Engine daemon. When you do,
the client applications that are submitting files for scanning can lose their connection to
Symantec Protection Engine. The client applications must re-establish their connections and
resubmit files for scanning.
Symantec Protection Engine also installs the new Symantec Protection Engine Update Manager
service. Symantec Protection Engine LiveUpdate request is served by this separate service.
Symantec Protection Engine Update Manager service will be started and stopped by Symantec
Protection Engine automatically.
To verify that the Symantec Protection Engine daemon is running on Linux
1 At the command prompt, type the following command:
ps -ea | grep symcscan
A list of processes similar to the following appears:
5358 ?0:00 symcscan

5359 ?0:00 symcscan
If nothing is displayed, the Symantec Protection Engine daemon did not start.
2 If the Symantec Protection Engine daemon did not start, type the following command:
/etc/init.d/symcscan restart
With the new configuration, Symantec Protection Engine might take longer to start than
it did in previous versions.
To stop and restart the Symantec Protection Engine daemon on Linux
1 Log in to the computer as root.
2 At the command prompt, type one of the following commands:
To stop the service /etc/init.d/symcscan stop
To start the service /etc/init.d/symcscan start
To stop and /etc/init.d/symcscan restart

immediately restart the
service
See “Clearing the Java cache” on page 42.

See “Accessing the Symantec Protection Engine console” on page 43.
Clearing the Java cache
Note: This topic is applicable only when working in the Core server with user interface mode.
In some configurations, the caching of Java Applets might cause the Symantec Protection
Engine console to display very slowly or fail to display at all. To prevent this problem, you must
clear the Java cache and disable the caching feature.
To clear the Java cache
1 In the Java Control Panel dialog box, on the General tab, click Settings.
2 Clear the Keep temporary files on my computer check box.
3 Click Delete Files.
4 In the Delete Temporary Files dialog box, select the Applications and Applets and
Trace and Log Files check boxes.
5 Click OK.
Accessing the Symantec Protection Engine console

The Symantec Protection Engine console is a Web-based interface that you can use to manage
Symantec Protection Engine. The interface is provided through a built-in HTTPS server. You
can access the interface by using the Symantec Protection Engine-based authentication. For
Symantec Protection Engine-based authentication you can use the administrative account
that you set up during installation. You access the Symantec Protection Engine console through
a Web browser. You can use any computer on your network that can access the server that
is running Symantec Protection Engine.
See “About the built-in HTTPS server” on page 44.
You do not need to restart Symantec Protection Engine after you modify a configuration setting
for the changes to take effect. Most settings take effect when you apply them. If the Symantec
Protection Engine service is restarted, connections to the client applications that are in the
process of submitting files for scanning are lost. The client applications must re-establish their
connections and resubmit files for scanning. You might want to schedule configuration changes
for times when scanning is at a minimum.
The first time that you access the Symantec Protection Engine console after login, one of the
following occurs:
The License page appears. No valid license is installed.
The License page is the only page that is active

until you install a valid license.
The Home page appears. At least one valid license is installed.
You can navigate throughout the entire console.

Each time that you start a new browser session, log in, and open the console, the Home page
appears. Only one user should use the console at a time to avoid possible race conditions
and configuration change conflicts.
The certificate that is shipped with Symantec Protection Engine to access the console is a
self-signed certificate and must be used for testing purpose only. We recommend that you
purchase and use a security certificate that suits you security requirements.
To access the console with Symantec Protection Engine-based authentication
1 Launch a Web browser on any computer on your network that can access the server that
is running Symantec Protection Engine.
2 In a Web browser, type the following address:
https://<servername>:<port>/
where <servername> is the host name or IP address of the server that is running Symantec
Protection Engine and <port> is the port number that you selected during installation for
the built-in Web server. The default port number is 8004.
3 If a Security Alert dialog box appears, click Yes to confirm that you trust the integrity of
the applet, and then click Yes to display the Web page.
4 In the Login Name box, type a valid login name.
5 In the Enter Password box, type the password for the administrative account.
6 Press Enter.
On successful login, Administrator is displayed on the upper right-hand side corner of the
Symantec Protection Engine console.
See “About authentication modes in Symantec Protection Engine” on page 33.
See “Clearing the Java cache” on page 42.
About the built-in HTTPS server

The built-in HTTPS server provides the console for Symantec Protection Engine. The built-in
HTTPS server is independent of any existing HTTPS server that might be installed on your
server. It is not a general-purpose Web server. During the installation process, you are prompted
for the TCP/IP port number on which this built-in HTTPS server listens. The default setting is
port 8004. If you specify a port number other than the default, remember which port number
you chose. The port number that you specify must be exclusive to the Symantec Protection
Engine console. Use a port number that is equal to or greater than 1024 and that is not already
in use by another program or service. Do not use port number 443, which is the default port
number for secure Web server connections.
You are also prompted upon installation to assign a Secure Socket Layer (SSL) port number
on which encrypted files are transmitted for increased security. (The default port number is
8005.) If you change the port number, use a number that is equal to or greater than 1024. No
other program or service should use the port number that you choose.
Note: When you configure your firewall, ensure that you do not block the ports for the built-in
HTTPS server and the SSL.
See “About the built-in HTTPS server” on page 44.

Enhancing security for the HTTPS servers and SSL servers
Note: This topic is applicable only when working in the Core server with user interface mode.
Symantec Protection Engine secures the HTTPS servers and SSL servers with public and
private keys, which it creates when you install the product.
You can periodically force Symantec Protection Engine to generate new keys. You can also
import keys from a third-party certificate.
See “Importing keys from a third-party certificate” on page 45.
See “Forcing Symantec Protection Engine to generate new keys” on page 47.
Importing keys from a third-party certificate

When you install Symantec Protection Engine, you also install a utility that you can use to
import keys from third-party certificates. You must import the certificate file into a Java keystore
format. You can import the certificate through a graphical user interface or at the command
line. Symantec Protection Engine supports importing PFX and PKCS#12 certificate files.
See “Migrating to version 8.1” on page 61.
To import keys from a third-party certificate with the Certificate Import Utility graphical user
interface
1 At the command line, change directories to the Symantec Protection Engine installation
directory. The default installation directories are as follows:
Linux /opt/SYMCscan/bin
2 Type the following to start the graphical user interface for the utility:
java -jar certinstall.jar --gui
3 In the Certificate Import Utility for Symantec Protection Engine 7.9 window, click Load
Certificate File.
4 In the Load PFX/PKCS#12 Certificate File window, select the certificate file that you want
to import.
5 In the Enter password for certificate window, type the password for the certificate.
A text representation of the certificate appears.
6 Click Import.
7 In the Select destination directory window, select the directory to where you want to
import the file.
The keystore file that is created when you import the certificate is maintained in this
directory. You must select the Symantec Protection Engine default installation directory.
8 Click OK.
The file keyStore.private is created and placed in the destination directory.
9 Click Exit to close the Certificate Import Utility.
To import a third-party private key from the command line
1 At the command line, change directories to the Symantec Protection Engine installation
directory. The default installation directories are as follows:
Linux /opt/SYMCScan/bin
2 Do one of the following steps:
To respond to Type the following command:

command line prompts
java -jar certinstall.jar --import
You are prompted for responses. Type your response, and then press
Enter.
To specify the Type the following command:

certificate file name
java -jar certinstall.jar --import --infile <PFX/PKCS12 certificate file
and the destination
name> --destination <SPE Dir>
directory in one
command where <PFX/PKCS#12 certificate file name> is the name of the certificate
that you want to import, and <SPE Dir> is the Symantec Protection Engine
installation directory.
To access the Certificate Import Utility help

◆ Do one of the following steps:
In the Certificate Import On the menu bar, click Help.

Utility GUI
At the command line Type the following command:
java -jar certinstall.jar --help
See “Forcing Symantec Protection Engine to generate new keys” on page 47.
Forcing Symantec Protection Engine to generate new keys

You should change the private key every two to five years to sustain long term security. You
can force Symantec Protection Engine to generate new keys. When you delete the existing
keystore, Symantec Protection Engine automatically creates new keys the next time you start
the Symantec Protection Engine service.
To force Symantec Protection Engine to generate new keys
1 Stop the Symantec Protection Engine service.
2 In the installation directory, delete the following files:
keyStore.private
keyStore.public
3 Restart the Symantec Protection Engine service.

See “Verifying, stopping, and restarting the Symantec Protection Engine daemon on Linux ”
on page 41.
Changing the console settings

After installing Symantec Protection Engine, you can configure the console settings for
Table 2-2 describes the console settings that you can configure.
Table 2-2 Console settings
Option Description
Console server address You manage Symantec Protection Engine through

a Web-based interface, which is provided through
a built-in HTTP server. The HTTP server binds to
all interfaces by default. Specify the appropriate
bind address to restrict administrative access.
Console port number The Web-based interface binds to a TCP/IP port

number. You are prompted to provide a port number
during installation. You can change the port number
through the console.
If you change the port number, use a number that

is equal to or greater than 1024. No other program
or service should use the port number that you
choose.
Note: If you change the port number through the
console, you must close and reopen the console.
To access the console after the change, you must
update the URL address to include the new port
number.
SSL port number Symantec Protection Engine uses a Secure Socket

Layer (SSL) port to transmit files securely. You are
prompted to provide an SSL port number during
installation. You can change the port number
through the console. If you change the SSL port
number, use a number that is equal to or greater
than 1024. No other program or service should use
the port number that you choose.
You must close and reopen the console for the new
SSL port setting to take effect.
Console timeout By default, Symantec Protection Engine is

configured to automatically log off the user after a
period of inactivity. The default period of inactivity
is 300 seconds (five minutes). You can change the
default timeout period. The minimum value is 60
seconds.
Note: You must close and reopen the console for
the new timeout interval setting to take effect.
To change the console settings

1 In the console on the primary navigation bar, click System.
2 In the sidebar under Views, click Console Settings.
3 In the content area under Console Settings, in the Console server address box, type
a bind address, if necessary.
By default, Symantec Protection Engine binds to all interfaces. Specify the appropriate
bind address to restrict administrative access.
4 In the Console port number box, type a port number.
The default setting is port 8004. If you change the port number, choose a port number
that is exclusive to Symantec Protection Engine interface and that is greater than 1024.
Do not use port number 80. To disable the console, type 0. If you disable the console,
you must configure Symantec Protection Engine by editing the configuration file.
5 In the SSL port number box, type a secure port number.
The default setting is port 8005. If you change the port number, choose a port number
that is exclusive to Symantec Protection Engine and that is between 1024 and 65535. Do
not use port number 80 or port 443.
6 In the Console timeout box, type the period of inactivity, in seconds, after which the user
is automatically logged off.
The default period of inactivity is 300 seconds (five minutes). The minimum value is 60
seconds; the maximum value is 3600 seconds (60 minutes).
7 On the toolbar, select one of the following options:
Save Saves your changes.
Use this option to continue making changes in

the console until you are ready to apply them.
Apply Applies your changes.
Your changes are not implemented until you

apply them.
You must close and reopen the console for the changes to the console settings to take
effect.
Editing user information

After installing Symantec Protection Engine, you can edit the user information for Symantec
Protection Engine.
Table 2-3 describes the user information that you can configure.
Table 2-3 User information
Option Description
Login name Displays the login name for the user account.
Note: The login name cannot be edited.
Display name Displays the display name for the user account.
New password You can set a new password for the user account.
You cannot view the existing password of the user account.
See “About editing the Symantec Protection Engine configuration files”

on page 257.
Confirm password Type the password again to confirm it.
Email address The existing email address (if any) is displayed.
The email address is an optional data field. You must type the email address
in the name@symantecdomain.com format.
To edit the user information

2 In the sidebar under Views, click My Details.
3 In the Display name box, type the new display name for the user account.
4 In the New Password box, type the new password for the user account.
5 Reconfirm the password by typing it again in the Confirm password box.


apply them.
See “Managing user accounts” on page 51.

Managing user accounts

Multiple users can access the Symantec Protection Engine console and modify the configuration
and policy of Symantec Protection Engine. To do so, the Administrator must first create user
accounts with unique login names and passwords. Once you have a user account, access the
Symantec Protection Engine console and sign in with your login name and password. You
can change the password after logging in to the console.
Note: The Administrator can create a maximum of 24 user accounts only. This number does
not include the default Administrator user account.

The Administrator is the user account created during a clean install. In case you do an upgrade
of Symantec Protection Engine and preserve the existing settings, the existing user becomes
the Administrator. You are recommended to remember the password for this account as it is
the only account used to manage Symantec Protection Engine console users. If you want to
change the password in the console, you must have the old password.
Note: Administrator can create, edit, or delete user accounts only for Symantec Protection
Engine-based authentication.
The user login and logout information is logged when the logging level is set to Audit. With the
multiple user account feature, you can monitor who logs in and logs out.
See “Logging levels and events” on page 142.
Note: Only the Administrator can create, edit, or delete user accounts. Hence, the Manage
Users link is visible only to the Administrator.
See “Creating a new user account” on page 51.

See “Editing an existing user account” on page 53.
See “Deleting a user account” on page 55.
See “Viewing existing user accounts” on page 56.
Creating a new user account

Only the Administrator can access the Manage Users link to create a new user account. The
Administrator can create a maximum of 24 user accounts only.
Table 2-4 describes the options that you must configure to create a new user.
Table 2-4 Creating new user options
Option Description
Login name Indicates the login name that you use to sign into
the Symantec Protection Engine console.
The login name must be unique and cannot be used

for another user account. The length of the login
name can be between 5 and 25 characters. The
login name can contain any character except space
characters.
Note: The login name is not case-sensitive.
Note: The login name field cannot be left blank.
Display name Indicates the display name that you view on the
top-right corner of the console after you log in with
your user account credentials.
The Display Name must not exceed 20 characters

and is an optional data field .
Note: The Display Name cannot be Administrator.
Password Indicates the password that you use to sign into the
The password field cannot be left blank.
Confirm password Reconfirm the password by typing it again.
Email address Indicates the email address of the user account.
The email address is an optional data field. You

must type the email address in the
name@symantecdomain.com format.
This parameter is optional.
To create a new user account

2 In the sidebar under Views, click Manage Users.
This link is visible only to those users who log into the Symantec Protection Engine console
by using the Administrator account credentials.
3 In the content area under Manage Users, click the Create new user tab.
4 In the Login name box, type a unique login name.
The login name must have a length between 5 and 25 characters.
5 In the Display name box, type a display name.

This data field is optional.
6 In the Password field, type the password that the user must use to log in to the Symantec
Protection Engine console.
7 Reconfirm the password by typing it again in the Confirm password box.
8 Type an email address for the user account in the Email address box.

Apply Applies your changes

apply them.
The information you type is lost if you click Edit user or Delete user tab without saving
your entries.
Editing an existing user account

The Administrator can modify some parameters of existing user accounts.
Table 2-5 describes the fields that the Administrator can edit in existing user accounts.
Table 2-5 Editing user account options
Option Description
Login name Choose the login name of the user account that you
want to modify from the drop-down menu.
Display name The existing display name (if any) is shown here.
Table 2-5 Editing user account options (continued)
Option Description
New password You can set a new password for the user account.
You cannot view the existing password of the user
account.
Confirm Reconfirm the new password by typing it again.
Email address The existing email address (if any) is displayed.
To edit an existing user account

3 In the content area under Manage Users, click the Edit user tab.
4 Select the user account that you want to edit from the drop-down box in Login name.
5 Edit the user account display name in the Display name box.
6 In the New password box, type the new password that the user must use to log in to the
The password field cannot be left blank.
7 Reconfirm the password by typing it again in the Confirm box.
8 Edit the user account email address in the Email address box.


apply them.
The information you type is lost if you click Create new user or Delete user tab without
saving your entries.

Deleting a user account

In addition to creating and editing user accounts, the Administrator can delete existing user
accounts in Symantec Protection Engine.
Table 2-6 describes the fields that the Administrator must configure to delete a user account.
Table 2-6 Deleting user account options
Option Description
Login name Displays the login names of all existing user

accounts.
Delete To delete a specific user account, put a check mark

against the user account.
To delete a user account

3 In the content area under Manage Users, click the Delete user tab.
4 To delete a particular user account, put a check mark in the Delete column corresponding
to the user account.


apply them.
The information you type is lost if you click Create new user or Edit user tab without
saving your entries.
Viewing existing user accounts

You can view existing user accounts on the Symantec Protection Engine by using the
Administrator account credentials. All user accounts except the Administrator user account
are visible under the Manage Users link. The existing users list is empty when you log into
Symantec Protection Engine for the first time.
Table 2-7 describes the existing user account details that you can view.
Table 2-7 Visible details of existing user accounts
Option Description
Login name Displays the unique login name of the user account
that the user must use to log into the Symantec
Display name Displays the user account display name that is

visible on the top-right corner of the console once
the user logs in.
Email address Displays the email address for the user account.

To view existing user accounts

3 In the content area under Existing Users, you can view existing user accounts on the
About security notice

You can configure Symantec Protection Engine to display a custom security notice to all users
before they log in. You can use this feature to ensure that users view common security
information before they log in to the Symantec Protection Engine console.
See “Enabling security notice feature” on page 57.
Enabling security notice feature

The security notice feature can be accessed using any user account credentials in the Symantec
To enable the security notice feature
2 In the sidebar under Views, click Security Notice.
3 In the content area under Security Notice, check the Display security notice option.
To disable the feature, uncheck the option.
4 Type the text that you want all users to view before logging in the Security Notice Content
text box.
You can type up to a maximum of 1500 characters in the Security Notice Content text
box.


apply them.
6 Close the existing Symantec Protection Engine console and access the console once
again for changes to take effect.
See “About security notice ” on page 57.
Allocating resources for Symantec Protection Engine

You can allocate resources for Symantec Protection Engine and limit the system resources
that are devoted to scanning. You can also limit the server resources that Symantec Protection
Engine uses for processing files in memory.
Table 2-8 describes the resource settings.
Table 2-8 Resource settings
Option Description
Temporary directory for Symantec Protection Engine stores files in the installation directory temporary
scanning folder for scanning. You can change the location of this temporary directory to
support sites with large, specialized disk configurations. The disk space that is
required for this directory varies depending on the volume of data to be scanned.
Symantec Protection Engine performance depends on this directory being able
to accommodate a large volume of data during periods of peak use.
If you want to change the temporary directory location, ensure that it has the
proper access permissions so that only authorized entity can access it.
The file directory that you specify must already exist. Symantec Protection
Engine validates the existence of the directory when you save or apply your
changes.
The default temporary directories are as follows:
■ Linux: <Installdir>/temp
Table 2-8 Resource settings (continued)
Option Description
Number of available You can specify the maximum number of threads that are available for scanning.
threads for scanning
The pool of threads that is available to Symantec Protection Engine for scanning
dynamically adjusts to the load that is being processed. You can change a
number of additional related parameters in the configuration file. The optimal
settings for these parameters vary depending on your environment and how
you use Symantec Protection Engine.
Symantec Protection Engine performance depends on the following:
■ Volume of data being scanned

■ Number of the client applications that make requests
■ Available memory and disk space
■ Number of scanning threads
See “Control the dynamic thread pool” on page 262.
Threshold number of Symantec Protection Engine is at maximum load when the number of queued
queued requests requests exceeds the specified threshold. You can configure Symantec
Protection Engine to log the event to the specified logging destinations when
the queue exceeds the maximum load.

When the ICAP threshold notification feature is enabled (default value),
Symantec Protection Engine takes the following actions:
■ Logs the event to the logging destinations

■ Rejects the scan request
■ Notifies the client that the server is too busy to process the request
When the ICAP threshold notification feature is disabled, Symantec Protection

Engine continues to queue all incoming requests after the threshold is exceeded
until a thread becomes available. You can configure the threshold for queued
requests for Symantec Protection Engine. The client can then adjust the load
balancing, which prevents the server from being overloaded with scan requests.
Note: For logging to occur at maximum load, the logging level for the logging
destination must be set to Warning or higher.
Table 2-8 Resource settings (continued)
Option Description
Log or send alert for Symantec Protection Engine generates log entries and alerts at a prescribed
maximum load every _ interval to notify you that it is at the maximum threshold for scan requests. The
minutes alert interval is the number of minutes between each log entry or alert. The
default interval is every five minutes. If you change the interval, select one that
is informative but does not result in an excessive number of log entries or alerts.
You receive an SMTP alert every <n> minutes when Symantec Protection
Engine rejects a scan request because it is too busy when all of the following
conditions are met:
■ You use ICAP.

■ The ICAP threshold client notification feature is enabled (default setting).
■ You enable SMTP alerts.
■ You configure "Log or send alert for maximum load every __ minutes."
Symantec Protection Engine posts log entries and sends SNMP alerts for each
event in which a scan request is rejected because the server is too busy.
See “Activating SMTP alerts” on page 151.
In-memory file Symantec Protection Engine can decompose and scan the contents of container
processing files in memory, which eliminates the latency imposed by on-disk scanning.
This feature can improve performance in environments in which large volumes
of container and archive file formats are routinely submitted for scanning. You
can limit the resources that are consumed for processing files in memory by
specifying the maximum RAM to use for the in-memory file system (in
megabytes).
To allocate resources for Symantec Protection Engine

1 In the console on the primary navigation bar, click Configuration.
2 In the sidebar under Views, click Resources.
3 In the content area under System Scanning Resources, in the Temporary directory
for scanning box, type the temporary directory to be used for scanning.
To prevent scanning conflicts between Symantec Protection Engine and any other client
antivirus software installed on the server, make sure that the client antivirus software
avoids all scans of the Symantec Protection Engine temporary directory (for example,
real-time scans, manual scans, and scheduled scans).
4 In the Number of available threads for scanning box, type the maximum number of
scanning threads that are allowed for scanning.
The default settings depends on the number of cores of the processor.
See “About available threads for scanning” on page 116.
Migrating to version 8.1
5 In the Threshold number of queued requests box, type the threshold number of queued
requests that Symantec Protection Engine considers to be at maximum load.
The default setting is 100.
6 In the Log or send alert for maximum load every __ minutes box, type the alert interval
in minutes.
The default setting is 5 minutes.
7 Under Server Resources, in the Maximum RAM used for in-memory file system box,
type the maximum amount of RAM that can be used for the in-memory file system.
The default setting is 2048 MB.
8 On the toolbar, select one of the following:
This option lets you continue making changes in the console until you are
ready to apply them.
Your changes are not implemented until you apply them. You must perform a
manual restart for the changes to take effect.
Migrating to version 8.1

Symantec Protection Engine does not support direct upgrades from version 7.5 and earlier
versions. In that case, you must migrate to version 8.1. The following tables describes migration
process when direct upgrade is not supported.
Table 2-9 Migration Paths
Previous version number Description
7.5.x Symantec Protection Engine does not support direct upgrades from
version 7.5.x. You must migrate to 8.0 first, then upgrade to 8.1.
A separate utility to migrate from 7.5.x to 8.0 is provided.

Note: On Linux, set the LD_LIBRARY_PATH as follows before you
execute the Migration Utility:
LD_LIBRARY_PATH="<Base_Location>
/SPE_Tools/Migration_Utility/RedHat/"
For more information, see the Symantec Protection Engine Migration

Utility in the Symantec_Protection_Engine_Tools.zip file.
Uninstalling Symantec Protection Engine
Table 2-9 Migration Paths (continued)
Previous version number Description
7.0.x Symantec Protection Engine does not support direct upgrades from
version 7.0.x. You must first upgrade to version 7.5.x, then migrate
to 8.0.
You must stop the Symantec Protection Engine service before you upgrade the software.
See “Importing keys from a third-party certificate” on page 45.
Uninstalling Symantec Protection Engine

When you uninstall Symantec Protection Engine, the license keys remain. If you want to
permanently uninstall Symantec Protection Engine, you must manually uninstall the license
keys.
See “About removing license files” on page 67.
When you uninstall Symantec Protection Engine, the keystore files also remain, which eliminates
the need to re-import certificates if you uninstall and reinstall the product.
See “Enhancing security for the HTTPS servers and SSL servers” on page 45.
To uninstall Symantec Protection Engine on Linux
1 Log in to the computer as root.
2 Change the directory where Symantec Protection Engine is installed.
cd /opt/SYMCScan/bin/
3 Run the following command:

./uninstall.sh
Chapter 3
Activating licenses
■ About licensing
■ About license activation
■ About transaction-based metering
About licensing
You activate key features for Symantec Protection Engine when you install the appropriate
license. Key features include scanning for threats and security risks, HTTP content filtering,
and related updates. You must install the licenses through the Symantec Protection Engine
console.
For complete scanning functionality and definition updates, you need the following licenses:
Product licenses Product licenses activate scanning functionality.
The AV Scanning license activates the threat scanning features and

security risk scanning features. The URLFiltering license activates
the HTTP URL filtering features. URL Reputation license activates
URL Reputation feature.
See “About scanning for risks” on page 79.

Activating licenses 64
About licensing
Content licenses Content licenses let you receive product updates.
The AV Content license lets you receive updated threat and security
risk definitions. Updated definitions ensure that your server is
protected from risks.
The URL Content license lets you receive updated Content Category
lists.
The URL Reputation Content license lets you use updated IP,
Domain/URL Reputation feeds.
See “About definition updates” on page 163.
Symantec Insight™ license Symantec Insight™ license activates the Insight scanning.
See “About Symantec Insight™” on page 95.
Symantec APK Reputation license Symantec APK Reputation license activates the APK Reputation
functionality.
You must have valid product licenses to configure the product and to access the threat
(antivirus) scanning, security risk scanning, and HTTP content filtering features. Without valid
product licenses, you cannot access these features in the console.
The first time that you open the console after installation, only the License view is active. You
must install the AV Scanning license to access the Configuration, Reports, Monitors, and
System pages in the console. You must have the AV Scanning and URL Filtering licenses
installed to access the Policies pages. You must also activate the Insight license to take
advantage of the Insight scanning feature.
Symantec Protection Engine installs with the most current definitions that are available at the
time the product is released. After you install the product and activate the licenses, perform a
definition update to obtain the most current definitions. If you discover a problem with the new
definitions, revert to the definitions that were shipped with the product.
See “Rolling back URL definitions” on page 169.
When a license is within 60 days of its expiration date, it is considered to be in a warning
period. After a license expires with no license renewal, all record of the license is removed.
To regain product functionality, you must renew and reactivate your license subscription.
You can configure Symantec Protection Engine to generate log entries when a license is in
the warning period.
See “About logging data” on page 141.
See “Checking the license status” on page 68.
About license activation

You activate scanning features and definitions updates for Symantec Protection Engine with
licenses. A separate license must be installed for each feature. If you purchase additional
product features from Symantec as they become available for Symantec Protection Engine,
these features require a new license.
Symantec issues a serial number for each type of license that you purchase. This serial number
is required to register your product and your maintenance agreement. The serial number is
provided on a license certificate, which is mailed separately and arrives in the same time frame
as your software. For security reasons, the license certificate is not included in the Symantec
Protection Engine software distribution package. If you upgrade from a previous version and
you have an active maintenance contract, you might receive the serial number certificate with
an upgrade insurance letter.
See “If you do not have a serial number” on page 65.
License activation involves the following process:
Obtain a license To request a license file, you must have the license serial number for each license
file from Symantec. that you want to activate. After you complete the registration process, Symantec
sends you the appropriate license file by email.
See “Obtaining a license file” on page 65.
Install the license You must install the content licenses and product licenses on each server on which
file. you run Symantec Protection Engine. When you install the licenses, you can enable
the scanning processes and update your product and its associated content.
See “Installing the license file” on page 66.
If you do not have a serial number

Your license certificate contains the serial numbers for the license that you purchase. The
license certificate should arrive within three to five business days of when you receive your
software. If you do not receive the license certificate, contact Symantec Customer Service at
800-721-3934 or your reseller to check the status of your order. If you have lost your license
certificate, contact Symantec License Administration.
See “Where to get more information” on page 21.
Obtaining a license file

Each license certificate or upgrade certificate has a serial number. The serial number is used
to request a license file and to register for support. To request a license file, you must have
the serial number for the license.
The serial number is printed on the license certificate or upgrade certificate that Symantec
mails to you. The format of a serial number is a letter followed by 10 digits. For example,
F2430482013.
If you purchase multiple types of licenses but register them separately, Symantec sends you
a separate license file for each license. You must install each license file separately. If you
register multiple licenses at the same time, Symantec sends you a single license file that
contains all of your licenses.
The license file that Symantec sends to you is contained within a .zip file. The .slf file that is
contained within the .zip file is the actual license file. Ensure that your inbound email
environment permits .zip email message attachments.
Warning: License files are digitally signed. If you try to edit a license file, you render it invalid.
To obtain a license file

1 In a Web browser, type the following address:
https://licensing.symantec.com
Your Web browser must use 128-bit encryption to view the site.
2 If a Security Alert dialog box appears, click OK.
3 Follow the procedures on the Symantec Licensing Portal to register your license and
request your license file.
Symantec sends you an email message that contains the license file in an attachment. If
the email message does not arrive within two hours, an error might have occurred. Try
again to obtain the license file through the Symantec Web site. If the problem continues,
contact Symantec Technical Support.
See “Where to get more information” on page 21.
Installing the license file

A license file contains the information that is required to activate one or more features in a
product. A license file is also required to update the product and its associated content. A
license file might contain one or more types of licenses. The number of licenses it contains
depends on whether you registered the license serial numbers separately or at the same time.
See “Obtaining a license file” on page 65.
You can install the license file through the console. If you disabled the console, you can install
the license file by copying it to a specific directory location.
Note: You must restart Symantec Protection Engine manually after saving the license files.
To install the license file through the console

1 When you receive the email message from Symantec that contains the license file, save
the file that is attached to the email message to the computer from which you intend to
access the Symantec Protection Engine console.
If no license has been installed, when you open the console, the System tab appears by
default.
3 In the sidebar under Views, click License.
4 Under Tasks, click Install License.
5 In the Install License window, click Browse.
6 In the Load File window, browse to the folder location where you saved the license file,
select it, and then click Open.
7 In the Install License window, click Install.
A status message indicates that the license was successfully installed.
To install the license file without using the console:
◆ Based on the operating system, save the license file that you receive in an email message
from Symantec in the following location:
Linux /opt/Symantec/Licenses
Note: If Symantec Protection Engine is running with a non-root user, that user must have the
required permissions for a license file in /opt/Symantec directory for LiveUpdate to work.
About removing license files

The license files for Symantec Protection Engine are not uninstalled automatically if you
uninstall the product. The license files remain in place so that if you need to reinstall the product,
the license remains intact. Each license that is installed is stored in a separate file in the shared
license directory. This shared directory contains the licenses for all Symantec products. The
license files must be removed manually.
The default license directories are as follows:
Linux /opt/Symantec/Licenses

About transaction-based metering
Checking the license status

You can view information about the status of your Symantec Protection Engine licenses. You
can check the license expiration date and the number of days that remain in the warning period.
Table 3-1 describes the license information that is displayed on the License page.
Table 3-1 License status information
Column Description
Feature This column lists each license that is installed.
Expiration This column lists the expiration date for each license. If the license is in the warning
period, a warning message is displayed in this column.
Fulfillment ID The fulfillment ID is the identification number for your license. You must provide this
number to Symantec customer care if you have questions about your license.
The Quick Status pane on the Home page also displays the licenses that are installed. When
a license is about to expire, the License page displays the warning.
To check the license status
2 In the sidebar under Views, click License.
The licensing information appears in the content area.

Symantec Protection Engine now supports transaction-based metering. This topic explains
what qualifies for the transaction and how you can view the transactions by using the Symantec
What is a transaction?
A file or a URL scanned is counted in a transaction when it is scanned by at least one scanner
within Symantec Protection Engine (Antivirus, file attributes, container attributes, and URL
Scanner).
The following are considered as a transaction:
■ A file that is sent to Symantec Protection Engine for examination or a file that is extracted
from a container and sent to Symantec Protection Engine for examination.
■ URL that is sent to Symantec Protection Engine for URL filtering (category-based filtering
or URL Reputation).
What is not a transaction?

Symantec Protection Engine may skip files from scanning and does not consider them as
transactions in the following scenarios:
■ Policy settings where a container extraction is aborted, that is, no further file extraction
from the container once such limits are met. So the files that are not extracted are not
counted in transactions. Following are the settings where file extraction can be aborted:
■ MaxExtractSize
■ MaxExtractDepth
■ CumulativeExtractSize
■ MaxExtractFileCount
■ Following policy settings (filemod only) where files are skipped based on the size or the
source path and are not counted in transactions:
■ FileSizeScanThreshold
■ DenyFilePaths
How to know the total transactions from the report?

Total transactions is a sum of Total files scanned and URLs scanned fields of the report that
you generate from the Symantec Protection Engine console.
For example, in the Figure 3-1 sample report, total transactions count is 2044 (Total Files
Scanned 2042 + URLs Scanned 2).
See “Viewing the metering information on the console” on page 69.
Viewing the metering information on the console

You can view the total number of files and URLs scanned information in the report that you
can generate on the console. You can select a date range and time range for which you want
to view the metering information.
To view the metering information on the console
1 In the console on the primary navigation bar, click Reports.
2 In the sidebar under Views, click Statistics.
3 In the content area under Statistics View, in the Date range from boxes, type the start
date and end date for the range you want to report.
Use the following date format: MM/DD/YY
For example, If you want to view the data for last 90 days, type the date such as 6/20/2017.
4 In the Time range from boxes, type the daily start and end times for which you want the
report.
Use the following time format: HH:MM:SS Use a 24-hour time format.
For example, 23:30:00 is 11:30 P.M.
5 In the sidebar under Tasks, click Generate Report.
Figure 3-1 Sample Report

Table 3-2 Statistics Report fields
Category Field and Description
General Statistics ■ Requests: Total number of the requests that Symantec Protection
Engine received.
■ Connections: Total number of connector connections to Symantec
Protection Engine.
■ Files Scanned: Files that Symantec Protection Engine scanned. If the
file is an archive and contains multiple files within it, this field shows
number of archive files.
■ Total Files Scanned: Total number of files that Symantec Protection
Engine scanned. If file is an archive and contains multiple files within
it, then this field shows total number of files scanned that is all the files
within the archive file and archive file itself.
For example, if an archive file contains 100 files within it, Files Scanned
displays 1 and Total Files Scanned displays 101.
■ Files Quarantined: Files that Symantec Protection Engine quarantined.
■ Cumulative Scan Time: Total amount of time that Symantec Protection
Engine spent to scan the files within specified date and time range.
■ Scan Errors: Errors that Symantec Protection Engine encountered in
the specified period.
Threat Risk Ratings From the overall viruses and security risks detected, threat risks ratings
classifies it into high, medium, and low risk ratings.
■ High: High-risk Infections/viruses detected by Symantec Protection

Engine.
■ Medium: Medium-risk Infections/viruses detected by Symantec
Protection Engine.
■ Low: Low-risk Infections/viruses detected by Symantec Protection
Engine.
Viral Threats Detected ■ Infections: Infections/viruses detected by Symantec Protection Engine.
Non-viral threats Detected ■ Security Risks: Security risks that Symantec Protection Engine
detected.
Policy Violations ■ Container Policy Violations: Total container policy violations that
Symantec Protection Engine detected.
■ File Attribute Policy Violations: Total file attribute policy violations
that Symantec Protection Engine detected.
Unscannable Files ■ Encrypted Containers: Total number of encrypted container files that
Symantec Protection Engine could not scan.
Table 3-2 Statistics Report fields (continued)
Category Field and Description
URL Statistics ■ URLs Scanned: Total number of URLs that Symantec Protection
Engine scanned.
■ URL Filtering Blocks: Total number of URLs that Symantec Protection
Engine blocked after scanning.
■ URL Filtering Audits: Total number of URLs that Symantec Protection
Engine audited.
■ URL Reputation Blocks: Total number of URLs that Symantec
Protection Engine blocked after scanning with URL Reputation feature.
See “About transaction-based metering” on page 68.

Chapter 4
Configuring scanning
services for client
applications
■ About the communication protocols
■ About working with ICAP
■ About secure ICAP support in Symantec Protection Engine
About the communication protocols

You can select the communication protocol that Symantec Protection Engine uses to
communicate with the client applications for which it provides scanning services. You must
configure protocol-specific configuration options, which differ depending on the protocol that
you select.
Internet Content Symantec Protection Engine uses ICAP by default. ICAP is a lightweight protocol
Adaptation Protocol for executing a remote procedure call on HTTP messages. Symantec Protection
(ICAP) Engine supports version 1.0 of ICAP, as presented in RFC 3507 (April 2003).
If you have installed Symantec Protection Engine for Cloud Services, you can only configure
it to run in ICAP-based protocol.
You must upgrade from supported previous version of Symantec Protection Engine for Cloud
Services to the latest version of Symantec Protection Engine for Cloud Services only. Upgrade
Configuring scanning services for client applications 74
About the communication protocols
from Symantec Protection Engine for Cloud Services to Symantec Protection Engine for
Network Attached Storage is not supported and vice versa.
Supported services by protocol

The services that are available through Symantec Protection Engine differ depending on the
protocol that you use.
Table 4-1 lists the services that are available for each protocol.
Table 4-1 Supported services by protocol
Feature ICAP
Threat detection Supported
See “Configuring antivirus scan policy in Symantec Protection Engine” on page 82.
Security risk detection Supported
Insight detection Supported
APK Reputation detection Supported
See “About Android Application (APK) Reputation ” on page 97.
URL Reputation detection Supported
See “About URL Reputation” on page 139.
Container processing limits Supported
Encrypted container detection Supported
File name filtering Supported
File or attachment size filtering Supported
Scanning by file extension and file type Supported
Scanning by file size Supported
About working with ICAP
Table 4-1 Supported services by protocol (continued)
Feature ICAP
Quarantining infected files Supported

HTTP content filtering Supported
See “How to filter a URL” on page 131.
Logging events to the following destinations: Supported
■ Local logs
See “About configuring local logging” on page 146.
■ Statistics Log
See “Enabling statistics reporting in Symantec Protection Engine” on page 149.
■ Abort log
See “Logging destinations” on page 141.
■ Linux Syslog
See “Configuring logging to the Linux Syslog” on page 150.
Monitor scanning requests Supported
See “Monitoring scanning requests” on page 98.
Continuous self-test scanning Supported
Notification to the client that the queued requests threshold is reached Supported
SMTP and SNMP alert and outbreak notifications Supported
Command-line scanning Supported
Advanced machine learning Supported
See “How Symantec Protection Engine detects risks” on page 81.

In its default configuration, Symantec Protection Engine uses ICAP to communicate with the
clients that run ICAP version 1.0, as presented in RFC 3507 (April 2003). Any client that uses
this standard can use ICAP to communicate with Symantec Protection Engine to request
scanning services.
The Symantec Protection Engine software development kit (SDK) is available for developing
custom integrations with version 1.0 of ICAP. It includes client-side application program
interfaces (API) to simplify the addition of AV scanning to any C, C++, Java, or .Net application.
When you use ICAP as the communication protocol, Symantec Protection Engine initially
provides information to the ICAP client about which file types to scan. This information is based
on the configuration of Symantec Protection Engine.
If the file extension is one that is identified for scanning, the ICAP client forwards the entire
file to Symantec Protection Engine. If the file extension is unknown or is not one that is identified
for scanning, the ICAP client forwards the first few bytes of the file. Symantec Protection Engine
examines the first few bytes of the file to determine whether the file might contain a threat or
security risk. Based on this examination, Symantec Protection Engine might request and scan
a file even when it is not identified for scanning.
Symantec Protection Engine also scans POST transactions (sending data from a Web browser
to a server using the HTTP protocol). When a threat or security risk is detected in a POST
transaction file, Symantec Protection Engine blocks the file without trying to repair it. An HTTP
message informs the posting client that a risk was detected and that the file was blocked.
See “Configuring ICAP options” on page 76.
Configuring ICAP options

If you select ICAP, you must configure certain options specific to ICAP protocol. You must
also configure the ICAP client to work with Symantec Protection Engine. For more information,
see the ICAP client documentation.
Table 4-2 describes the configuration options for ICAP.
Table 4-2 Protocol-specific options for ICAP
Option Description
Bind address Symantec Protection Engine detects all of the available IP addresses that are
installed on the host. By default, Symantec Protection Engine accepts scanning
requests on (binds to) all of the scanning IP addresses that it detects. You can
configure up to 64 IP addresses as scanning IP addresses.
You can specify whether you want Symantec Protection Engine to bind to all
of the IP addresses that it detects, or you can restrict access to one or more
interfaces. If you do not specify at least one IP address, Symantec Protection
Engine binds to all of the scanning IP addresses that it detects.
If Symantec Protection Engine fails to bind to any of the selected IP addresses,

an event is written to the log as a critical error. Even if Symantec Protection
Engine is unable to bind to any IP address, you can access the console.
However, scanning functionality is unavailable.

Note: You can use 127.0.0.1 (the loopback interface) to let only the clients that
are running on the same computer connect to Symantec Protection Engine.
Port number The port number must be exclusive to Symantec Protection Engine. You must
use the same port number for all of the scanning IP addresses that you want
to bind to Symantec Protection Engine.
The default port number is 1344. If you change the port number, use a number
that is equal to or greater than 1024. No other program or service should use
this port number.
To configure ICAP options

1 In the console on the primary navigation bar, click Configuration.
2 In the sidebar under Views, click Protocol.
3 In the content area under Select Communication Protocol, click ICAP.
4 In the Manual Restart Required dialog box, click OK.
Whenever you switch protocols, you must restart the server. You can continue to make
and apply changes in the console. However, the changes do not take effect until you
restart the Symantec Protection Engine service.
About secure ICAP support in Symantec Protection Engine
5 Under ICAP Configuration, in the Bind address table, select the scanning IP addresses
that you want to bind to Symantec Protection Engine. Check Select All to select every
IP Address in the Bind address table.
Only four IP addresses appear in the Bind address table. Click the scroll bar to view
additional IP addresses.
By default, Symantec Protection Engine binds to all interfaces.
6 In the Port number box, type the TCP/IP port number that the client application uses to
pass files to Symantec Protection Engine for scanning.
The default setting for ICAP is port 1344. If you change the port number, use a number
that is equal to or greater than 1024. No other program or service should use this port
number. You must use the same port number for every scanning IP addresses that you
want to bind to Symantec Protection Engine.
Use this option to continue making changes in the console until you are ready
to apply them.
Your changes are not implemented until you apply them.
About secure ICAP support in Symantec Protection

Engine
Secure ICAP is SSL/TLS encrypted ICAP-based communication. You can configure Symantec
Protection Engine to use secure ICAP for communication with its client. Secure ICAP prevents
someone who can capture the packets on the network and examine the content that is being
scanned.
If you enable secure ICAP in Symantec Protection Engine, the clients that send the scan
requests must also be enabled for secure ICAP communication.
Secure ICAP affects the scan performance due to SSL/TLS encryption.
See “Configure the secure ICAP options” on page 260.
See “Enabling client certificate verification” on page 262.
Chapter 5
Protecting against risks
■ About scanning for risks
■ Configuring antivirus scan policy in Symantec Protection Engine
■ About quarantining files in Symantec Protection Engine
■ About preventing potential threats in Symantec Protection Engine
■ About container files in Symantec Protection Engine
■ Customizing notifications in Symantec Protection Engine
■ About Symantec Insight™
■ About Android Application (APK) Reputation
About scanning for risks

Symantec Protection Engine can scan all major file types (for example, Microsoft Word and
Microsoft Excel files). Symantec Protection Engine can detect mobile code, such as Java,
ActiveX, and stand-alone script-based threats. Symantec Protection Engine handles most
types of compressed and archive file formats and nested levels of files.
Symantec Protection Engine can detect the following types of risks:
■ Viral threats (such as viruses, worms, and Trojan horses)
■ Nonviral threats (security risks such as adware and spyware)
■ Denial-of-service attacks
Protecting against risks 80
Symantec Protection Engine also helps you protect your network by blocking potential threats.
When you receive information about a new threat, you can block or delete the message, file,
or file attachment before definitions are available.
See “About preventing potential threats in Symantec Protection Engine” on page 86.
Scanning for risks can consume bandwidth, increase overall scanning time, and degrade
performance. You can improve scanning performance by limiting the files and email messages
to be scanned to only those that are most likely to contain risks.
For more information about viral threats, security risks, and other forms of malicious attacks,
on the Internet, go to the following URL for Symantec Security Response:
http://securityresponse.symantec.com
About threat categorization and risk ratings

Symantec Protection Engine categorizes each viral and nonviral threat under sub-categories
associated with it, which are dynamic in nature and may change with definition updates. A
threat can have only one sub-category assigned to it. In addition, Symantec Protection Engine
also provides sub-category ID.
Symantec measures each viral and nonviral threat using risk rating factors along with their
impact levels. The risk rating factors and their impact levels defines the degree to which a
threat can harm the computer.
Table 5-1 displays the various risk rating factors and their impact levels.
Table 5-1 Risk rating factors and their impact levels
Factor Description Impact levels
Performance impact Degree to which any program can affect a ■ High

system's stability, speed, and performance. ■ Medium
■ Low
Privacy impact Degree to which any program can gather ■ High

personal information through the Internet ■ Medium
and relay it back to a remote computer ■ Low
without the user's knowledge.
Ease of removal Degree to which any program can embed ■ High

themselves deep within the system and ■ Medium
refuse to be removed. ■ Low
Table 5-1 Risk rating factors and their impact levels (continued)
Factor Description Impact levels
Stealth Degree to which any program can install ■ High

itself without the user noticing and then ■ Medium
remain hidden to prevent detection and ■ Low
removal.
Symantec Protection Engine calculates the overall impact (Cumulative Risk Rating) of a
detected threat based on the impact levels of individual risk rating factors.
The detailed information for each detected threat is logged to all configured logging destinations
and as part of the ICAP response.
See “Enable nonviral threat categories information” on page 270.
See “Enable threat categories information” on page 273.
How Symantec Protection Engine detects risks

Symantec Protection Engine uses the following tools to detect risks:
Definitions Symantec engineers track reported outbreaks of risks (such as viruses, Trojan
horses, worms, adware, and spyware) to identify new risks. After a risk is identified,
information about the risk (a signature) is stored in a definition file. This file contains
information to detect and eliminate the risk. When Symantec Protection Engine
scans for risks, it searches for these signatures.
Heuristics Symantec Protection Engine uses Symantec Bloodhound™ heuristics technology

to scan for threats for which no known definitions exist. Bloodhound heuristics
technology scans for unusual behaviors (such as self-replication) to target potentially
infected documents. Bloodhound technology is capable of detecting as much as 80
percent of new and unknown executable file threats. Bloodhound-Macro technology
detects over 90 percent of new and unknown macro viruses. Bloodhound requires
minimal overhead since it examines only programs and the documents that meet
stringent prerequisites. In most cases, Bloodhound can determine in microseconds
whether a file or document is likely to be infected. If it determines that a file is not
likely to be infected, it moves to the next file.
Configuring antivirus scan policy in Symantec Protection Engine
Decomposition of Symantec Protection Engine extracts container files so that they can be scanned
container files for risks. Symantec Protection Engine continues to extract container files until it
reaches the base file. Symantec Protection Engine imposes limits on file extraction.
These limits protect against denial-of-service attacks that are associated with the
overly large files or the complex container files that take a long time to decompose.
These limits also improve scanning performance.
Symantec Protection Engine scans a file and its contents until it reaches the
maximum depth that you specify. Symantec Protection Engine stops scanning any
file that meets the maximum file size limit, cumulative file size limit, or maximum file
count. It then generates a log entry. Symantec Protection Engine resumes scanning
any remaining files. This process continues until Symantec Protection Engine scans
all of the files to the maximum depth (that do not meet any of the processing limits).
Symantec Symantec Insight™ is a file-based detection technology that classifies files as good
Insight™ or bad by examining properties, usage patterns, or users of a given file rather than
scanning it.
Android Application Symantec Protection Engine has introduced a new Android Application Reputation
(APK) Reputation feature that you can use to classify the untrusted APK files. APK Reputation uses
Symantec’s mobile intelligence framework that leverages data from the sources
such as Norton community watch, market crawling, and malware industry partners.
The files will have security ratings such as low bad, high bad, neutral, medium bad,
low good, medium good, and high good.
Advanced machine Advanced machine learning technology detects malware based on static attributes.
learning This technology enables Symantec Protection Engine to detect malware in the
pre-execution phase, thereby stopping large classes of malware, both known and
unknown. In Symantec Protection Engine, this technology works with the File Insight
(Reputation) technology to provide best-in-class protection with low false positives.
See “About scanning for risks” on page 79.

See “About threat categorization and risk ratings” on page 80.
Configuring antivirus scan policy in Symantec

Protection Engine
Symantec Protection Engine can detect viral and nonviral threats, such as viruses, Trojan
horses, worms, and security risks in all major file types. For example, Windows, DOS, Microsoft
Word, and Microsoft Excel files. The threat detection capability is enabled by default and you
cannot disable it.
Symantec Protection Engine gives you an option to quarantine threats. You can quarantine
threats if you have configured quarantine server in Symantec Protection Engine.
You must have a valid antivirus scanning license to scan for threats and a valid content license
to update virus definitions. If you upgrade from a previous version and your licenses are current,
Symantec Protection Engine automatically recognizes these licenses.
Note: If Symantec Protection Engine is enrolled with the centralized console, you can apply
the policies for it from the centralized console. All the policies and the settings that can be
configured from the centralized console are disabled for modification in the standalone user
interface of Symantec Protection Engine.
See “To configure the antivirus scan policy in Symantec Protection Engine” on page 83.
See “How Symantec Protection Engine detects risks” on page 81.
See “Ways to test threat detection capabilities” on page 84.
To configure the antivirus scan policy in Symantec Protection Engine
1 In the console on the primary navigation bar, click Policies.
2 In the sidebar under Views, click Scanning.
3 Under Antivirus Scanning, in the Scan policy list, select how you want Symantec
Protection Engine to handle infected files. The options are as follows:
Scan policy ■ Scan only

Denies the access to the infected file but does nothing to the infected file.
■ Scan and delete
Deletes all infected files without trying to repair them, including the files
that are embedded in archive files.
■ Scan and repair files
Tries to repair infected files but does nothing to the files that cannot be
repaired. Security risks cannot be repaired.
■ Scan and repair or delete
Tries to repair infected files and deletes any unrepairable files from archive
files. Security risks cannot be repaired.
This is the default setting.
Note: Symantec Protection Engine version 8.1 does not support repair of
infected files.
to apply them.

See “Configuring the quarantine in Symantec Protection Engine” on page 85.
Ways to test threat detection capabilities

You can test the threat detection capabilities of Symantec Protection Engine by using an EICAR
test file.
The EICAR test file contains a test string that most major antivirus products detect and handle
as though it was a threat. The test string is not a virus. You can download an EICAR test file.
On the Internet, go to the following URL:
http://eicar.org
Warning: Carefully read the disclaimers on the site before you download the test file into your
environment. Any tries to test antivirus software with real or dummy viruses should be handled
with extreme care.
About quarantining files in Symantec Protection Engine
If your computer already has antivirus software, you must disable the Auto-Protect mode of
the antivirus software before you download the test file.
About quarantining files in Symantec Protection

Engine
When you use the ICAP protocol, you can quarantine the files that might contain threats. To
quarantine files, you must install Symantec Central Quarantine.
Symantec Central Quarantine must be installed on a computer that runs Windows 2000
Server/Windows 2003 Server/Windows 2008 Server/Windows 2012 Server. Symantec Central
Quarantine is included on the Symantec Protection Engine Tools zip.
For more information, see the Symantec Central Quarantine Implementation Guide.
You can designate unscannable files and the files that might contain threats or malicious code
in Symantec Protection Engine for quarantining. Symantec Protection Engine forwards the
files that you want to quarantine to Symantec Central Quarantine. Typically, the heuristically
detected threats that cannot be eliminated are forwarded to the Quarantine so that they are
isolated. Since the threats are isolated, they cannot spread. You can submit the files that are
in the quarantine to Symantec Security Response for analysis. If a new threat is identified,
new definitions are posted.
You must select Scan and repair or delete as the antivirus action policy to forward files to
the quarantine.
See “About unscannable files in Symantec Protection Engine” on page 91.

Configuring the quarantine in Symantec Protection Engine

If you plan to quarantine the files that might contain threats or malicious code, configure
Symantec Protection Engine to quarantine files. Also provide the host name or IP address for
the computer on which Symantec Central Quarantine Server is installed.
See “To configure the quarantine in Symantec Protection Engine” on page 86.
About preventing potential threats in Symantec Protection Engine
To configure the quarantine in Symantec Protection Engine

2 In the sidebar under Views, click Quarantine.
3 In the content area under Quarantine, check Configure quarantine server.
4 In the Central quarantine server host or IP box, type the host name or the IP address
for the computer on which Symantec Central Quarantine Server is installed.
5 In the Port box, type the TCP/IP port number that Symantec Protection Engine uses to
pass files to Symantec Central Quarantine.
6 Select Quarantine Threats to quarantine the infected files.
This option is available only if quarantine server is configured in Symantec Protection
Engine.
7 Select Quarantine encrypted files to quarantine encrypted container files
This option is available only if quarantine server is configured in Symantec Protection
Engine.
to apply them.


See “Configuring Symantec Protection Engine to handle encrypted container files” on page 92.
About preventing potential threats in Symantec

Protection Engine
Symantec Protection Engine has features you can use to prevent emerging threats by doing
the following:
Handle container files Use this feature to handle certain types of container files.

Block or delete files by Use this feature to filter documents by file name.
file name
Block or delete files by Use this feature to block or delete files by file or attachment size.
file or attachment size
Configuring file name filtering in Symantec Protection Engine

If your client uses the ICAP protocol, you can filter files by file name to protect your network
during an outbreak. For example, if you know the file name of a new email-borne threat, you
can use this information to block infected email messages.
You can configure Symantec Protection Engine to handle the file in one of the following ways:
Block access to the Blocks access to any top-level file that matches the file name.
file or the message
If a container file or email message contains a file or attachment that matches the
file name, access to the entire container or message is blocked.
Delete the file or Deletes any file that matches the file name and logs the violation.
the attachment
Symantec Protection Engine deletes any attachments within an email message that
match the file name. Attachments that do not match the file name are not deleted
and are delivered with the message.
Symantec Protection Engine deletes any embedded files that match the specified
file name within a container file that contains multiple files. The embedded files that
do not match the specified file name are not deleted. Deleted files are replaced with
a replacement file, DELETED<N>.TXT, which indicates the reason that the file was
deleted.
See “Customizing notifications in Symantec Protection Engine” on page 93.
Use wildcard characters if you are unsure of an exact file name or to block all file attachments
with a specific extension. For example, you can use the wildcard *virus* to block all attachments
with the word virus in the file name.
Note: If your client uses the antivirus-only application programming interface (API), file name
violations are reported to the client in the server's response as mail-policy violations. If you
use the extended API or have a standard ICAP implementation, this type of violation is reported
as a file violation.
See “To configure file name filtering in Symantec Protection Engine” on page 88.
To configure file name filtering in Symantec Protection Engine
2 In the sidebar under Views, click Filtering.
3 In the content area on the Files tab, under Blocking by File Name, check Block files with
the following names.
4 Under When a matching file is found, select one of the following to specify how Symantec
Protection Engine handles the messages that contain an attachment with that file name:
■ Block access to the file or message
This option is enabled by default.
■ Delete the file or attachment
5 In the file name box, do any of the following:
Add a file name to Type the file name that you want to add. Type one entry per line. Search strings
the list. are not case-sensitive.
You can use the following wildcard characters as needed:
■ A question mark (?) to represent a single character.
■ An asterisk (*) to represent zero or more characters.
■ A backslash (\) as an escape character. For example, precede a ? or a *
with \ to match a literal ? or * symbol in a file name. To match a literal \
symbol, use \\.
Remove a file Highlight the file name that you want to remove, and press Delete.
name from the list.
to apply them.

Configuring true type file filtering in Symantec Protection Engine

You can configure Symantec Protection Engine to handle the file based on its type. It blocks
access to any top-level file that matches the file type. If a container file or email message
contains a file or attachment that matches the file type, access to the entire container or
message is blocked.
You can use wildcard characters for the files based on their categories to block the files. For
example, you can use the wildcard image/* to block all files that fall under the image category.
Note: Configuration of the file true type filtering is supported only on ICAP protocol.
See “Configuring true type file filtering in Symantec Protection Engine” on page 89.
Configuring file size filtering in Symantec Protection Engine

If your client uses the ICAP protocol, you can filter files based on their sizes. For example,
suppose you know the exact size of new email-borne threat. You can use this information to
block any email messages that match this size.
Block access to the Blocks access to any top-level file that matches the file size.
file or the message
specified file size, Symantec Protection Engine blocks the entire container or
message.
Delete the file or Deletes any files that match the specified file size and logs the violation.
attachment
match a specified file size. Attachments that do not match the specified file size are
delivered with the message.
Symantec Protection Engine deletes any embedded files within a container file that
contains multiple files that match the specified file size. The embedded files that do
not match the specified file size are not deleted. Deleted files are replaced with a
replacement file, DELETED<N>.TXT, which indicates the reason that the file was
deleted.

Note: If your client uses the antivirus-only application programming interface (API), file size
violations are reported to the client in the server's response as mail-policy violations. If you
See “To configure file size filtering in Symantec Protection Engine” on page 90.
To configure file size filtering in Symantec Protection Engine
3 In the content area on the Files tab, under Blocking by File Size, check Block files with
the following sizes.
4 Under When a matching file is found, select one of the following options to specify how
you want Symantec Protection Engine to handle the messages that contain an attachment
with that file size:
■ Block access to the file or the message
This option is enabled by default.
■ Delete the file or attachment
5 In the file size box, do any of the following:
Add a file size (in Type the file size that you want to add. Type one entry per line.
bytes) to the list.
Remove a file size Highlight the file size that you want to remove, and press Delete.
from the list.
to apply them.
About container files in Symantec Protection Engine

You can handle container files based on certain criteria that might indicate the presence of a
threat or malicious code and prevent Symantec Protection Engine from effectively scanning
the file.
Table 5-2 describes the types of container files that you can handle in Symantec Protection
Engine.
Table 5-2 Types of container files
Type of file Description
Encrypted container Infected files are often encrypted to defect scanning attempts. Encrypted files
files cannot be decrypted and scanned without the appropriate decryption tool. You
can configure Symantec Protection Engine to handle encrypted container files
to protect your network from threats.
See “Configuring Symantec Protection Engine to handle encrypted container

files” on page 92.
See “About unscannable files in Symantec Protection Engine” on page 91.
About unscannable files in Symantec Protection Engine

Symantec Protection Engine cannot scan certain files types as they cannot be extracted or
they do not match standard file formats. From version 7.0 onwards, such files (encrypted
containers), would be referred to as "Unscannable" files.
Previously, Symantec Scan Engine had limited policies to handle such unscannable files. Now,
Symantec Protection Engine provides better control over handling unscannable files.
Symantec Protection Engine provides the following options to handle unscannable files:
■ Log only
Generates a log entry.
■ Block
Blocks the unscannable files and generates a log entry.
■ Delete
Deletes the unscannable files and generates a log entry.
In addition, you can also choose to quarantine unscannable files with any of the above options.
Configuring Symantec Protection Engine to handle encrypted container

files
Encrypted files are unscannable in Symantec Protection Engine. If you want to protect your
network from threats of encrypted container files, configure Symantec Protection Engine to
handle unscannable encrypted container files.
See “To configure Symantec Protection Engine to handle encrypted container files” on page 92.
To configure Symantec Protection Engine to handle encrypted container files
3 In the content area on the Container Handling tab, under Encrypted Container Handling,
select Enable Encrypted Container Handling check box.
4 Under Enable Encrypted Container Handling, select one of the following to specify how
Symantec Protection Engine handles encrypted files:
Log only Generates a log entry.
By default, Symantec Protection Engine only logs instances of

encrypted container files.
Block Blocks the encrypted container files and generates a log entry.
Delete Deletes the encrypted container files and generates a log entry.
The options are available only if the Enable Encrypted Container Handling is enabled.
to apply them.

Customizing notifications in Symantec Protection Engine
Customizing notifications in Symantec Protection

Engine
You can configure Symantec Protection Engine to customize messages to users to notify them
when a file is infected, denied access to, encrypted, or deleted. You can add the text to the
body of a replacement file for a deleted attachment.
Symantec Protection Engine attaches a text file to the email message in the place of each
attachment that is deleted. The text file that is inserted is called DELETED<N>.TXT, where N
is a sequence number. For example, if two attachments are deleted, the replacement files are
called DELETED0.TXT and DELETED1.TXT.
If the attachment is container file that contains an encrypted file, Symantec Protection Engine
inserts a text file in place of the encrypted file in the container.
When you use ICAP, Symantec Protection Engine displays an HTML text message to the user
when a requested file is blocked. Access to a file is blocked when the file contains a threat
and deleted.
Table 5-3 describes the types of notification messages that you can customize.
Table 5-3 User notification messages
Type of notification Default text
Deleted file File: ${FILE_NAME} was infected with ${THREAT_NAME} (${THREAT_ID}).

File ${QUARANTINED}. File was deleted.
Infected file File: ${FILE_NAME} was infected with ${THREAT_NAME} (${THREAT_ID}).

File ${QUARANTINED}. File is still infected
Total threat found This email message was infected. ${TOTAL_THREATS} number of threats
were found.
Denied file size The file attached to this email was removed because the file size is not
allowed. File attachment: ${FILE_NAME}. Matched file size: ${FILE_SIZE}.
Denied file names The file attached to this email was removed because the file name is not
allowed. File attachment: ${FILE_NAME}. Matched pattern:
${MATCHING_FILENAME_ENTRY}.
Encrypted file The encrypted container attached to this email was removed. File
attachment: ${FILE_NAME}. File ${QUARANTINED}.
Web browser The content you just requested contains ${THREAT_NAME} and was
blocked by the Symantec Protection Engine based on local administrator
settings. Contact your local administrator for further information.
Customizing notifications in Symantec Protection Engine
See “Customizing notifications in the Core server only mode” on page 191. to work with the
Core server only mode.
Table 5-4 lists the variables that you can use to customize your notifications.
Table 5-4 Notification variables
Variable Description
${FILE_NAME} The name of the infected file.
${FILE_SIZE} The size of the file that violates the maximum file size threshold.
See “Configuring file size filtering in Symantec Protection Engine”

on page 89.
${THREAT_NAME} The name of the threat.
${THREAT_ID} The threat identification number.
${QUARANTINED} Indicates whether a file was quarantined.
${TOTAL_THREATS} The total number of risks that are detected in the MIME message.
${MATCHING_ The file name pattern that triggered the violation.

FILENAME_ENTRY}
See “Configuring file name filtering in Symantec Protection Engine”
on page 87.
To customize user notifications in Symantec Protection Engine

2 In the sidebar under Views, click Notifications.
3 Under User Message Notifications, check Add text to the body of replacement file
for a deleted attachment.
4 Customize any of the user notification messages.
to apply them.

About Symantec Insight™

Symantec Insight™ is a file-based detection technology that classifies files as good or bad by
examining properties, usage patterns, or users of a given file rather than scanning it.
Insight-based security puts files in context, using their age, frequency, location, and more to
expose threats otherwise missed.
Note: Symantec Insight™ provides reputation information for only Portable Executable (PE)
files.
How does Symantec Protection Engine use Symantec Insight™

Symantec Protection Engine integrates the Symantec Insight™ technology and adapts it to
cater to its various deployment scenarios. Symantec Protection Engine is preconfigured with
different Insight threshold values for the following popular deployment methods:
■ Email Server
■ Proxy/Web cache server
■ Other Application
■ NAS
Symantec Protection Engine quarantines the infected files that are detected by Symantec
Insight. This option is enabled only if the Quarantine server is configured.
Enabling Symantec Insight™ policy

You must have a valid Insight scanning license to scan for threats. Insight scanning is enabled
by default.
Symantec Protection Engine also gives you an option to quarantine threats. You can quarantine
threats if you have configured the Quarantine server in Symantec Protection Engine.
You can enable or disable Symantec Insight by using the Core server only mode. See “Enabling
Symantec Insight™ in the Core server only mode” on page 195.
Configuring the scanning aggression level

The Scanning Aggression Level defines the detection aggression level for threat detection
technologies. Higher the aggression level, more are the number of files that are detected as
threats. However, there is a possibility of false positives.
Following are the scanning aggression levels:
■ Known Bad
Potential threat detection is very low, which detects only the files that are known to be bad.
■ Low
Potential threat detection is low.
■ Medium
Potential threat detection is higher than the low aggression level. By default, medium level
is selected in Symantec Protection Engine.
■ High
Potential threat detection is the highest. However, there could be false positives detected
too.
See “To configure the scanning aggression level” on page 96.
To configure the scanning aggression level
2 In the sidebar under Views, click Scanning Aggression.
3 Select the appropriate scanning aggression level.
to apply them.

See “Enabling Symantec Insight™ policy” on page 95.
Excluding files from scanning based on file size

You can enter a file size criteria to exclude files from scanning.
See “To exclude files from scanning based on file size” on page 96.
To exclude files from scanning based on file size
3 In the content area under Files to Scan, click Scan all files except those in the extension
or type exclude lists.
4 In the sidebar under Views, click Scanning Aggression.
About Android Application (APK) Reputation
5 In the Avoid scanning for files larger than field, enter the file size (in bytes), above
which the files are excluded from scanning.
Note: Ensure that Scan all files except those in the extension or type exclude lists
is selected under Policies > Scanning > Files to Scan.
to apply them.

See “Excluding files from scanning based on file size in the Core server only mode” on page 197.
About Android Application (APK) Reputation

Symantec Protection Engine lets you classify untrusted APK files by using APK Reputation
feature. APK Reputation uses Symantec’s mobile intelligence framework that leverages the
data from a number of sources. Symantec Protection Engine currently supports APK reputation
scanning by using true type detection of the APK files. Symantec Protection Engine uses the
security rating that is provided by the reputation server to allow, block, or delete an APK file.
APK Reputation feature is enabled by default. You can disable it on the Symantec Protection
Engine console.
To enable or disable the APK Reputation
2 In the sidebar under Views, click APK Reputation.
3 In the content area under Android Application (APK) Reputation, select Enable APK
Reputation to enable the feature.
Chapter 6
Monitoring and tuning the
performance of Symantec
Protection Engine
■ How to monitor Symantec Protection Engine performance
■ Ways to improve Symantec Protection Engine performance
How to monitor Symantec Protection Engine

performance
You should continually monitor Symantec Protection Engine to ensure that it operates at an
optimal level for your environment. Continual monitoring ensures that you can make the
necessary adjustments as soon as you detect a degradation in performance.
See “Ways to improve Symantec Protection Engine performance” on page 107.
You can monitor Symantec Protection Engine performance in the following ways:
■ Monitoring scanning requests
■ Monitoring Symantec Protection Engine resources
Monitoring scanning requests

Symantec Protection Engine provides a feature that lets you define the expected scanning
load for specific time periods. When the Symantec Protection Engine scanning load decreases
significantly, it might indicate a performance issue. You can use this feature to detect possible
problems before they become critical. If Symantec Protection Engine detects fewer scan
Monitoring and tuning the performance of Symantec Protection Engine 99
How to monitor Symantec Protection Engine performance
requests than the expected load, it logs the event to the designated logging destinations and
alert destinations. The event is logged at the Warning level.
Symantec Protection Engine averages the number of scan requests for one minute. If the
average number of requests for that minute meets or exceeds the threshold, no alert is sent.
If the average number of scan requests for that minute is below the threshold, Symantec
Protection Engine sends an alert.
For example, if you set a threshold of 20 requests per second for Wednesday from 1:00 A.M.
to 2:00 A.M., Symantec Protection Engine does not generate an alert for any minute in which
it receives 1,200 or more requests (20 requests times 60 seconds). Symantec Protection
Engine only generates an alert for any minute in which it receives fewer than 1,200 requests.
All of the schedules that you create appear in the Existing Schedules table. Active schedules
are denoted in green; inactive schedules are denoted in red.
You can control how scanning requests are monitored in the following ways:
■ Enable or disable the scan request monitor feature.
■ Add a new schedule.
■ Deactivate an existing schedule.
■ Activate a deactivated schedule.
■ Delete a schedule.
See “Monitoring scanning requests” on page 98.
To enable or disable the scan request monitor feature
1 In the console on the primary navigation bar, click Monitors.
2 In the sidebar under Views, click Requests.
3 In the content area under Monitor Requests, do one of the following steps:
■ To enable the feature, check Monitor requests.
You must enable the feature to add, activate, deactivate, or delete any schedules.
■ To disable the feature, uncheck Monitor requests.
This feature is disabled by default.

to apply them.
To add a new schedule

1 In the content area under Plan a Schedule, click the Day drop-down list, and select the
day of the week that you want to monitor.
You can only select one day.
2 Click the From drop-down list, and select the beginning hour for the schedule time range.
This setting uses a 24-hour clock. For example, 14 is 2:00 PM. You can select a range
from 0 (12:00 AM of the day selected by the user) to 23 (11:00 PM). Hours that you have
already used to create schedules for that day do not appear in the list.
3 Click the To drop-down list, and select the ending hour for the schedule time range.
This option uses a 24-hour clock. For example, 14 is 2:00 PM. You can select a range
from 0 (12:00 AM of the previous day) to 23 (11:00 PM). For example, if you select
Tuesday, select 23 from the From drop-down list, and then select 0 from the To drop-down
list, you are monitoring the threshold for the last hour of the day on Tuesday.
Hours that you have already used to create schedules for that day do not appear in the
list.
4 In the Threshold box, type the threshold that represents the expected file load at which
you want Symantec Protection Engine to issue an alert.
Specify a threshold that would signify a possible issue but not generate a high number of
false alarms.
5 In the sidebar under Tasks, click Add Schedule.

The schedule appears in the Existing Schedules table. New schedules are activated by
default.
to apply them.
To deactivate an existing schedule

1 In the content area under Existing Schedules in the Existing Schedules table, click the
schedule that you want to deactivate.
2 Under Plan a Schedule, uncheck Enable Schedule.
3 In the sidebar under Tasks, click Update Schedule.
The schedule appears in red in the Existing Schedules table.
to apply them.
To activate a deactivated schedule

1 In the content area under Existing Schedules in the Existing Schedules table, click the
schedule that you want to activate.
2 Under Plan a Schedule, check Enable Schedule.
3 In the sidebar under Tasks, click Update Schedule.

The schedule appears in green in the Existing Schedules table.
to apply them.
To delete a schedule
1 In the content area under Existing Schedules in the Existing Schedules table, click on
schedule that you want to delete.
2 In the sidebar under Tasks, click Delete Schedule.
to apply them.
Monitoring Symantec Protection Engine resources

You can monitor the resources Symantec Protection Engine uses for all of the supported
protocols.
Symantec Protection Engine refreshes the console view every 5 seconds so that you receive
up-to-date information.
Table 6-1 describes the scanning thread resources that you can monitor.
Table 6-1 Scanning threads
Item Description
Active threads Number of threads that Symantec Protection Engine

uses to perform the scan
Waiting threads Number of threads that are available for the

scanning job
Thread pool size Maximum number of threads that are available for
scanning
See “Allocating resources for Symantec Protection

Engine” on page 58.
Table 6-2 describes the load statistics resources that you can monitor.
Table 6-2 Load statistics
Item Description
Threshold for queued requests Number of scan requests at which Symantec

Protection Engine is at maximum load
See “Allocating resources for Symantec Protection

Engine” on page 58.
Queued requests Number of scan requests that are currently

scheduled or pending
Number of requests per sec(Average over sixty Average of number of scanning requests that arrived
seconds) in past 60 seconds
Total files scanned(Since Installation) Number of files that Symantec Protection Engine
scanned since the program was installed
Total data scanned(Since Installation) Total data that Symantec Protection Engine
scanned since the program was installed
Table 6-3 describes the logging statistics resources that you can monitor.
Table 6-3 Logging statistics
Item Description
Log directory location Location of log files
Used space Amount of used space for the location in which the
Symantec Protection Engine logs are maintained
Table 6-3 Logging statistics (continued)
Item Description
Available space Remaining available space for the location in which

the Symantec Protection Engine logs are maintained
Table 6-4 describes the miscellaneous resources that you can monitor.
Table 6-4 Miscellaneous
Item Description
Process priority The Symantec Protection Engine process priority
For more information about how to change a

process priority, see the documentation for your
operating system.
To monitor Symantec Protection Engine resources

2 In the sidebar under Views, click Resources.
See “Enabling resource consumption logging in Symantec Protection Engine” on page 104.
Enabling resource consumption logging in Symantec Protection Engine

The Resources page on the Symantec Protection Engine console displays the information
about the resources used by Symantec Protection Engine. Symantec Protection Engine
refreshes the console view on the Resources page every 5 seconds so that you receive
up-to-date information. From version 7.0 onwards, the data from the Resources page can now
be saved in log files for further analysis. Symantec Protection Engine captures the resources
data every 5 seconds and logs it every one minute. Thus, every minute 12 rows are added to
the log file. The resource consumption log files are saved in the default log directory as .rcl
files.
See “To enable resource consumption logging in Symantec Protection Engine” on page 104.
To enable resource consumption logging in Symantec Protection Engine
2 In the sidebar under Views, click Logging.
3 In the content area under Local Logging, check Enable resource consumption logging.
Resource consumption logging is disabled by default.
4 In the Number of resource consumption log files to retain (one per day) box, type
the number of individual log files to retain.
The default value is 0 so that all the log files are retained or none are deleted.
to apply them.

See “Monitoring Symantec Protection Engine resources” on page 102.
About resource consumption log files

Resource consumption log files names have the following format.
SSE<yyyymmdd>.rcl
where, yyyy is the year, mm is the month, and dd is the day.

Table 6-5 describes the resource consumption log file content.
Table 6-5 Resource consumption log file content
Column Description
Timestamp Timestamp when the event was captured. The timestamp value is
the offset from the standard epoch time.
No of requests per sec Average of number of scanning requests that arrived in past 60
seconds.
(Average over sixty seconds)
Total files scanned till now Number of files that Symantec Protection Engine scanned since
the program was installed.
Total data scanned (in bytes) Total data that Symantec Protection Engine scanned (in bytes)
since the program was installed.
Process priority The Symantec Protection Engine process priority.
For more information about how to change a process priority, see

the documentation for your operating system.
Table 6-5 Resource consumption log file content (continued)
Column Description
Used space (in bytes) Amount of space (in bytes) used by the log file directory.
Available space (in bytes) Amount of space available (in bytes) on the location where the log
files are maintained.
Log directory location Location where the log files are maintained.
Memory RSS Size (in bytes) Resident memory size of Symantec Protection Engine process in
bytes.
Memory Virtual Size (in bytes) Virtual memory size of Symantec Protection Engine process in
bytes.
Process ID Process ID of Symantec Protection Engine.
Parent Process ID Parent process ID of Symantec Protection Engine.
Stargate Dir Size (in MBs) Size of Stargate directory in MBs
Stargate Temp Dir Size (in MBs) Size of temporary directory of Stargate in MBs.
Stargate Log Dir Size (in MBs) Size of logs directory of Stargate in MBs.
SYMCScan Dir Size (in MBs) Directory size of Symantec Protection Engine in MBs.
SYMCScan Temp Dir Size (in MBs) Temporary directory size of Symantec Protection Engine in MBs.
Available space (in MBs) Amount of space in MBs on the location where the log files are
maintained.
RPC Client-Active Threads-Waiting Details of scanning threads and load statistics for protocol
Threads-Thread Pool configured.
size-Threshold for queued Example:
requests-Queued
Requests-Number of ■ Log file entry for RPC protocol with a single filer configured
requests(RPC) 198.51.100.0-0-16-128-100-0-0
■ Log file entry for RPC protocol with multiple filers configured
198.51.100.0-0-16-128-100-0-0;203.0.113.254-0-16-128-100-0-0;......
For multiple RPC clients ";"is used as a delimiter
■ Log file entry for ICAP protocol
NA-0-16-128-100-0-NA
Ways to improve Symantec Protection Engine performance
Ways to improve Symantec Protection Engine

performance
Symantec Protection Engine installs with a default configuration that is designed to balance
scanning services with scanning performance. However, you can modify Symantec Protection
Engine settings and resources to maximum performance.
See “Deployment considerations and recommendations” on page 107.
See “Enhance performance by limiting scanning” on page 109.
See “Configuration settings that can conserve and enhance performance” on page 115.
Warning: Before you make any modifications, carefully consider the trade offs between security
and performance. For example, excluding certain files from being scanned improves overall
performance. However, the files that are not scanned might contain security risks or threats
that could contaminate your network if unscanned.
Ensure that you monitor performance regularly so that you can detect any degradation in
performance and make the necessary adjustments as soon as possible.
Deployment considerations and recommendations

Table 6-6 provides the deployment considerations that can improve Symantec Protection
Engine performance.
Table 6-6 Symantec Protection Engine deployment recommendations
Deployment Description
consideration
Determining CPU Symantec Protection Engine server performance can benefit from the following
speed and system features:
architecture capacity
■ Higher CPU speed
CPU bottlenecks occur when \Processor\%Processor Time performance
counter numbers are high while the network adapter and disk I/O remain
below capacity. In this case (which is the ideal CPU-maximized system),
reaching 100% means that the CPU power must be increased. CPU power
can be increased by upgrading to a faster CPU or by adding more
processors.
While Symantec Protection Engine can benefit from faster CPU speeds,
increasing the CPU speed does not ensure a linear increase in performance.
Because of the large and frequent memory access effect, an increase in
CPU speed can result in wasted, idle CPU cycles when waiting for memory.
Hyper-threading capabilities can also aid in lowering CPU utilization levels
when no more than 60% of the CPU capacity is consumed. At higher CPU
utilization levels, enabled hyper-threading consumes the same processing
power as the disabled hyper-threading.
■ Larger processor cache
Large amounts of data can require frequent memory access. An L2/L3 cache
improves performance when large amounts of memory are accessed.
■ Improved system architecture
Symantec Protection Engine transfers large data loads between network
devices, memory, and the CPU. Therefore, the system elements around the
CPU also have an effect on server performance. A faster memory front side
bus and faster I/O buses improve overall performance.
Table 6-6 Symantec Protection Engine deployment recommendations (continued)
Deployment Description
consideration
Determining network Every network device that exists on a connection has a capacity limit. Such
capacity devices include the client and server network adapters, routers, switches, and
hubs that interconnect them. Adequate network capacity means that none of
these network devices are saturated. You should monitor network activity to
ensure that the actual loads on all network devices are below their maximum
capacity.
In most cases, the Internet connection bandwidth sets the limit for the volume
of Internet traffic. Weak performance during peak traffic hours can be the result
of over-utilization of the Internet link. If Symantec Protection Engine is connected
only to LANs, you must have the proper infrastructure to support maximum
traffic requirements. If the network is 1 Gbps or greater, consider enabling jumbo
frames on the switch and on all of the Symantec Protection Engine servers.
You should also ensure that the entire networking infrastructure is appropriately
rated. For example, if you connect the computers that contain gigabit network
interface cards, ensure that the network interface cards are in full duplex mode.
Also ensure that the network interface cards are configured at their maximum
possible bandwidth.
Determining disk Symantec Protection Engine uses disk space primarily for storing temporary
storage capacity files for scanning and for storing logs. A shortage of disk space might severely
affect the scanning functionality of Symantec Protection Engine. If you
experience disk space shortages, consider adding more physical disks.
See “Ways to improve Symantec Protection Engine performance” on page 107.
Enhance performance by limiting scanning

A method that you can use to enhance scanning performance is by limiting the files that
Symantec Protection Engine scans.
You can limit the files that are scanned as follows:
Exclude specific file extensions and file types from When you enable this option, Symantec Protection
scanning Engine scans only the file extensions or the file
types that are not in the exclude lists. The default
file exclude lists contain the most common file
extensions and the types that are unlikely to contain
threats.

Block the files or email messages that meet or This option lets you specify the maximum size of
exceed a specific size from scanning files or messages to scan.
See “Specifying the maximum file or message size

to scan” on page 113.
Impose limits on container files You can impose limits on how you want Symantec
Protection Engine to decompose and scan container
files. Imposing limits can conserve scanning
resources.
You can specify the following limits for handling
container files:
■ The maximum file size, in MB, for the individual

files that are in a container file.
■ The maximum number of nested levels to be
decomposed for scanning.
Specifying which files to scan

Threats are only found in the file types that contain executable code. When Symantec Protection
Engine receives a top-level file or a container file, it performs an analysis of the file structure
to determine its true file type. You can conserve bandwidth and time by only scanning the files
that might contain threats, based upon their file extensions or file types.
Symantec Protection Engine is configured by default to scan all files regardless of extension
or type.
You can choose to scan all files except those that are in the file extension and file type exclude
lists. Symantec Protection Engine scans only top-level files or the files that are embedded in
the archival file formats that are not contained in either list. The default exclude lists contain
the most common file extensions and the file types that are unlikely to contain threats.
You can add any file extension to the File extension exclude list (file extensions must begin
with a period).
The file types that you can add to the File type exclude list are as follows:
image/jpeg image/bmp image/gif
image/tiff image/x-png image/x-pixmap
image/x-ico audio/mtm audio/x-aiff
audio/x-au audio/midi audio/x-wav
audio/x-realaudio audio/x-mpeg audio/x-s3m

audio/shn audio/x-stx audio/it
audio/x-mod audio/med video/x-ms-wmv
video/x-msvideo video/mpeg video/quicktime
binary/ms-structured-storage application/x86-win-32-exe application/pcx
application/ms-tnef application/lzh application/x-lharc
application/x-lha application/rar application/lz
application/arj application/x-gzip application/ole
application/x-zip application/x-ace application/graphicconverter
application/java-archive application/x-tar application/cab
application/ani application/bh application/x-bz2
application/imz application/x-macbinary application/x-ogg
application/x-pdf application/rtf application/x-sit
application/x-zoo application/postscript application/iso
Note: Although file types are formatted similarly to MIME types, they are not derived from
MIME headers of the messages that are scanned. Symantec Protection Engine derives file
types by an analysis of the data itself, regardless of what information is in the MIME type.
As you evaluate which files to exclude from scanning, consider the trade-offs between
performance and protection. An exclusion list lets some files bypass scanning. Thus, new
types of threats might not always be detected. Scanning all files regardless of type or extension
is the most secure setting, but it imposes the heaviest demand on resources. During outbreaks,
you might want to scan all files even if you normally use the exclusion lists to control the files
that are scanned.
Warning: Use caution if you add .jpg or .jpeg to the File extension exclude list or image/jpg,
image/jpeg, or image/* to the File type exclude list. These file types can be encoded with
threats and might pose a risk to your network.
To specify which files to scan

3 In the content area under Files to Scan, click Scan all files except those in the extension
or type exclude lists.
4 In the File extension exclude list, do any of the following steps:
To add a file Type the file extension that you want to add.
extension to the
Type each entry on a separate line. Each entry should begin with a period.
exclude list
To remove a file Highlight and delete the file extension that you want to remove.
extension from the
exclude list
5 In the File type exclude list, do any of the following steps:
To add a file type Type the file type that you want to add.
to the exclude list
Type each extension on a separate line. You must type the file type exactly
as it appears in the list. Use the wildcard character /* to include all subtypes
for a file type. For example, if you type audio/* you would exclude all audio
subtypes from being scanned.
To remove a file Highlight and delete the file type that you want to remove.
type from the
exclude list
To exclude files See “Excluding files from scanning based on file size” on page 96.
from scanning
based on file size
6 To restore the default exclude lists, under Tasks, click Reset Default List.
This option restores the default File type exclude list and File extension exclude list.
to apply them.

Specifying the maximum file or message size to scan

If your client uses the ICAP protocol, you can specify a maximum size of files or messages to
scan. For messages, the maximum size includes the size of the entire message body and all
attachments. For container files, the maximum size includes the container file and all of its
contents. The files and mail messages that meet or exceed the maximum file size are blocked.
By default, Symantec Protection Engine has no limits on total file or message sizes.
See “To specify the maximum file or message size to scan” on page 113.
To specify the maximum file or message size to scan
3 In the content area on the Files tab, under Blocking by Total Message Size, in the Block
files or messages that are larger than box, type the maximum file size (in bytes) that
Symantec Protection Engine should accept.
The default value is 0. This setting places no limits on file or message size.
to apply them.
Setting container file limits

Symantec Protection Engine protects your network from the file attachments that can overload
the system and consume scanning performance and degrade performance.
This protection includes the container files that have any of the following characteristics:
■ Overly large
■ Contain large numbers of embedded, compressed files
■ Are designed to maliciously use resources and degrade performance
To enhance scanning performance and reduce your exposure to denial-of-service attacks,
you can impose limits to control how Symantec Protection Engine handles container files.
You can specify the following limits for handling container files:
■ The maximum file size, in MB, for the individual files that are in a container file
■ The maximum number of nested levels to be decomposed for scanning
Symantec Protection Engine scans a file and its contents until it reaches the maximum depth
that you specify. Symantec Protection Engine stops scanning any file that meets the maximum
file size limit. It then generates a log entry. Symantec Protection Engine resumes scanning
any remaining files. This process continues until Symantec Protection Engine scans all of the
files to the maximum depth (that do not meet any of the processing limits).
You can specify whether to allow or to deny access to files for which an established limit is
met or exceeded. Access is denied by default.
See “To set container file limits” on page 114.
Warning: If you allow access to a file that has not been fully scanned, you can expose your
network to risks.
To set container file limits

3 In the Maximum extract size of file meets or exceeds box, type the maximum file size,
in MB, for individual files in a container file.
The default setting is 100 MB. To disable this setting (so that no limit is imposed), type 0.
4 In the Maximum extract depth of file meets or exceeds box, type the maximum number
of nested levels of files that are decomposed within a container file.
The default setting is 10 levels. The maximum value for this setting is 50.
to apply them.

Configuration settings that can conserve and enhance performance

Table 6-7 describes the configurations that you can modify to enhance Symantec Protection
Engine performance.
Table 6-7 Configurations to enhance performance
Configuration Description
Modify system The system scanning resource settings that you can modify to enhance performance
scanning are as follows:
resources
■ Temporary directory for scanning
You can change the location of this temporary directory to support sites with
large, specialized disk configurations. The disk space that is required for this
directory varies depending on the volume of files to be scanned. Symantec
Protection Engine performance depends on this directory being able to
accommodate a large volume of large files during periods of peak use.
■ Number of available threads for scanning
This value defines the maximum number of scanning threads that Symantec
Protection Engine generates. Symantec Protection Engine initializes the threads
when the service starts. The number of threads that are initialized depends on
the number of cores of the processor. The maximum value is 512 threads.
Modify server Symantec Protection Engine can decompose and scan the contents of container
resources files in memory, which eliminates the latency that is imposed by on-disk scanning.
This feature can improve performance in environments in which large volumes of
container and archive file formats are routinely submitted for scanning.
You can limit the resources that Symantec Protection Engine consumes for
processing files in memory by specifying the following settings:
■ The maximum RAM to use for the in-memory file system (in megabytes)
The default value is 2048 MB.
For systems with larger amounts of memory, scanning is improved when a larger
section of RAM is set aside for in-memory file scanning. Keep in mind, however,
that the RAM setting should be set low enough so that no file swap usage occurs.
Notify a file server The process of sending notifications to the file server about definition updates can
when Symantec affect system resources, depending on how often you schedule LiveUpdate. To
Protection Engine minimize the effect on performance, you can send the notification on demand, as
updates definitions needed.
About available threads for scanning

Symantec Protection Engine calculates the number of default threads based on the number
of Cores or the processor. Symantec Protection Engine initializes the threads when the service
starts. The number of threads that are initialized depends on the number of cores of the
processor. The maximum value is 512 threads.
Table 6-8 Available threads
Processor Core count Min Threads Max Threads
1 8 24
2 8 24
4 8 24
8 8 24
16 16 48
32 32 96
n>=8 n n*3
Chapter 7
Filtering URLs
■ About filtering URLs
■ How to filter a URL
■ About URL Reputation
■ Configuring URL Reputation
About filtering URLs

If your client uses ICAP, you can filter Web sites based on Uniform Resource Locator (URL)
addresses. Symantec Protection Engine uses URL categories to restrict access to the Web
sites that may contain inappropriate content. You can filter outgoing requests like search engine
queries and URL addresses.
Symantec Protection Engine includes the predefined URL categories that consist of URLs
containing related subject matter. Symantec Protection Engine 7.0 and later is integrated with
an enhanced URL database. The number of predefined URL categories have been increased
following the current online trends like social networking, search engines, blogs, and online
shopping. This increase in the categories lets you block access to more specific topics.
You can also create custom categories called local categories. When you place a category
into the Deny Access list, access is denied to any URL that is contained in that category.
A description of the scanning modes is as follows:
Audit mode When you select audit mode, Symantec Protection Engine notifies the ICAP client
of all the Symantec, CAIC, and Local categories that the requested URL falls under.
Based on this information, the ICAP client handles the application of the filtering
policies. The client determines whether to block the site and deny access.
Filtering URLs 118
Filtering mode When Symantec Protection Engine operates in the filtering mode, Symantec
Protection Engine handles the application of URL filtering. You configure the types
of URL that you want to deny. Based on your configuration, Symantec Protection
Engine determines whether to deny access for each request. Symantec Protection
Engine returns to the user an "Access Denied" message when it blocks access to
a URL.
See “About the filtering modes” on page 131.

About categories
Symantec Protection Engine uses categories to determine whether access to a URL should
be denied. Symantec Protection Engine provides predefined URL categories. You can also
create additional categories (local categories) to meet your needs.
See “About predefined URL categories” on page 118.
See “About local categories” on page 131.
About predefined URL categories

Table 7-1 provides information about the predefined URL categories that are included in
Table 7-1 Predefined URL categories
URL Category Description
Abortion Sites that provide information or arguments in favor of or against abortion; offer
help to obtain or avoid abortion; describe abortion methods and how to perform
them; provide testimonials on the physical, social, mental, moral, or emotional
effects of abortion.
Advertising Sites that provide Internet advertising services such as Sponsored ads, search
engine marketing, pop-up, banner ads and so on.
Alcohol Sites that promote or sell alcoholic beverages; provide recipes or techniques
to make alcoholic beverages; glorify, brag, or otherwise encourage alcohol
consumption or intoxication such as home brewing and distilling, recipes, clubs,
and associations, and drinking games.
Anonymizer Sites that offer anonymous access to Web sites through a PHP or CGI proxy,
allowing users to gain access to Web sites that are blocked by corporate and
school proxies as well as parental control filtering solutions.
Filtering URLs 119
Table 7-1 Predefined URL categories (continued)
Art and Museums Sites that include art galleries, artists, and museums such as performing arts,
theater, painting, drawing, sculpture, and photography are included.
Art Nudes Sites that contain the non-pornographic, tasteful, and artful display of the naked
body. The main purpose of these sites is not sexual arousal.
Automated Web Sites that allow a computer to automatically open an HTTP connection for
Application reasons such as checking for operating system or application updates.
Automotive Sites that relate to manufacturers of motor vehicles, automotive dealers, motor
sports, and clubs.
Bikini Sites that offer the sale of bikinis, microkinis, monokinis, and thongs which are
marketed as beachwear rather than swimwear. Also the sites that feature
galleries and videos of models in bikinis.
Blog Sites that contain ‘blogs’ . Blogs are usually maintained by an individual with
regular entries of commentary, descriptions of events, or other material such
as graphics or video. Entries are commonly displayed in reverse chronological
order like comments on specific topics, online diaries, audio and video blogs.
Business Sites that are sponsored by or devoted to individual businesses and are not
covered by any other categories such as aerospace and defense industries,
Business Wireless
agriculture, biotech, and chemicals.
CAIC Sites that contain or distribute images of non-adult children that are depicted
in a state of abuse. These include the sites that depict indecent images of
children, advertisements for or links to such content, on a publically available
Web site.
Cash Gambling Sites that involve the wagering and exchange of money in addition to placing
bets or participating in betting pools (including lotteries) online; receiving
instructions, assistance or training on participating in games of chance; obtaining
information, assistance or recommendations for placing a bet.
Chat Sites that enable online chatting in real time. These can include text-based chat,
instant messaging chat, and visual chat rooms.
Chat/SMS/Text
Messaging Wireless
Criminal Skills Sites that provide instruction for threatening or violating the security of property
or the privacy of people; also how to avoid complying with legally mandated
duties and obligations. These include how to steal money, how to create fake
IDs and documents, how to defeat locks, how to intercept phone calls, how to
evade or circumvent the law.
Filtering URLs 120
Cults Sites that promote prominent, organized, and modern religious groups that are
identified as “cults” by three or more authoritative sources. Examples include:
■ The Church of Satan

■ Aum Shinrikyo
■ The Hare Krishna movement
■ The Family
■ The Unification Church
■ Branch Davidians
■ Scientologists
*Sources:
■ AFF (American Family Foundation), http://www.csj.org/ - A non-profit,

tax-exempt research center whose research comes from volunteer
professionals ranging from fields in journalism, education, society, and law
enforcement.
■ CESNUR (Center for Studies on New Religions), http://www.cesnur.org/ -
Associations of scholars working in the field of new religious movements;
they operate independent of any church, denomination, or religion.
■ University of Virginia - “Religious Movements” page,
http://religiousmovements.lib.virginia.edu/profiles/listalpha.htm - A scholarly
source consisting of mainly student’s research, it appears- and claims- to
be one of the most current sources.
■ Ontario Consultants on Religious Tolerance,
http://www.religioustolerance.com/ - Scholarly collection of researched topics
and elaborate categorization of all belief systems.
Drugs Sites that promote, offer, sell, supply, encourage, or otherwise advocate the
recreational or illegal use, cultivation, manufacture, or distribution of drugs,
pharmaceuticals, intoxicating plants, or chemicals and their related
paraphernalia. For instance, how to use recreational drugs, seeds and
manufacturing tips, drug gear, and equipment.
Dynamic Sites that have dynamically changing content and may generate, display, or
offer links to inappropriate material such as search engines, directory services,
Dynamic Wireless
hosting, portals, and blogs.
Education Sites that represent schools or other educational facilities, faculty, or alumni
groups such as homeschooling, public and private schools, universities and
colleges.
Energy Sites that represent companies involved with the production and distribution of
energy such as oil companies, gas companies, power companies, and alternative
energy companies.
Filtering URLs 121
Enterprise Webmail Sites that provide free Web email services such as Yahoo, Google, etc.; ISP
email access, business, school, or institutional access by Web email, Web email
provided free or paid hosting services.
Entertainment Sites that relate to the entertainment industry such as official Web sites for
movies, radio stations, film studios, fan sites about celebrities, and so on.
Entertainment Wireless
File sharing Sites that provide files for downloading over the Internet or smaller private
networks, through the client software to enable peer-to-peer sharing and transfer
of the files.
Finance and Investing Sites that provide information about personal finance and investments,
investment models, guides, tips, etc. Sites that allow users online trading, buy
Finance Wireless
or sell financial instruments.
Food and Restaurants Sites that provide information, guides, and reviews about restaurants; specialty
food shops, food recipes, and food delivery.
Forums and Message Sites that provide message boards and forums where users can discuss
Boards numerous topics. Sites that provide monitored or unmonitored Web forums,
Bulletin boards, etc.
Freeware and Sites that make software available for downloading to users such as freeware,
Shareware shareware, or open source software.
Gambling Sites that provide online casinos, lotteries, information and instructions about
placing bets, allowing to bet online and participate in betting pools, and online
Gambling Wireless
Gambling.
Gaming Sites that are dedicated to online games, game tips, game downloads, interactive
games, and multiplayer games.
Glamour Sites that promote and provide information about physical attractiveness; allure,
charm, beauty, or style with respect to personal appearance, clothes, shoes,
hair, make-up, and fashion accessories. Sites that contain information about
Body Art and Cosmetics, hairdressing, Fashion, and Glamourous Portals.
Gore Sites that feature graphic violence, bodily harm, or self inflicted harm. Sites that
contain images of grotesque violence towards humans or animals, images of
death and injury, and frightening descriptions.
Government Sites that are sponsored by government branches or agencies such as Local
and State Government, Health, and Social Services, Elections, Employment,
Public Safety, and Services, Embassies, and Consulates.
Filtering URLs 122
Hacking Sites that promote illegal use of technology and programming skills to access
networks, databases, etc. Sites that contain techniques, skills for
denial-of-service, packet sniffing, and spoofing.
Hate Sites that promote hostility against particular individual or group on the basis
of race, religion, color, gender, and origin.
Health Sites that provide information about personal health and medical services,
hygiene, diets, therapies, and counseling services about health.
Hobbies Sites that provide information about personal interests like collectibles, crafts,
pets, and past times.
Hosting Sites that provide online systems such as free or paid hosting, dedicated or
managed hosting, virtual private server hosting, and online backup file storage,
to store the data.
Internet Telephony Sites that provide the facility for telephone calls by Internet, or provide information
or software for the purpose.
Job Search Sites that are dedicated to job searches, job listings, creating and posting
resumes, and organizing job fairs.
Kids Sites that are dedicated to children activities such as artwork, school projects,
crafts, information to answer their questions, and games.
Law Sites that contain legal information about state and regional laws, lawyers, legal
services, legal consultations.
Filtering URLs 123
Lifestyle Sites that contain general material relevant to sexual orientation. These sites
contain pages dedicated to the groups* themselves, discussions, issues, clubs,
personal home pages that address or support sexual orientation lifestyle choices.
These are sites mainly by target group members for target group members.
Discussions and the issues that are of an explicitly mature nature are not part
of this category. *The specific TARGET groups in question are gay, lesbian,
bisexual, and transgender and are subsequently referred to as “GLBT”. Examples
include:
■ Sites dedicated to GLBT orientation issues, resources, outreach, portals,

clubs, associations, personal sites (personal home pages), and activism.
■ Religion, political, legal and news sources that accept, promote, or wholly
address target groups. Incorporates politics (politicians and their platforms,
PACs*, lobby groups); political issues (legality of gay rights, adoption,
marriage, health or wellness (ACT-UP)); legal rulings or precedents.
■ Family, adoption, or marriage or partner concerns and rights within target
groups
■ All chat pages that are devoted to GLBT issues, regardless of stated or
implied chat subject(s). Gay politics chat, lesbian mothering chat, bisexual
rights chat are considered as GLBT issues.
■ GLBT advice; the sites that exclusively discuss sexual orientation issues,
coming out; how to address one’s orientation with friends and family. These
sites does not include these discussions that are mainly mature in nature.
■ Transgender lifestyles by choice, cross-dressing, youth pages and
“genderqueer” categories (excludes intersexual issues, that is the medical
discussions, treatments, and theories surrounding children born with
indeterminate genitalia); incorporates hormone therapy, elective gender
reassignment, personal accounts, mental or emotional health issues and
similar related items.
Malware Domain Sites where the domain was found to either contain malware or take advantage
of other exploits to deliver adware, spyware, or malware.
Filtering URLs 124
Mature Content Sites that contain sexually explicit information that is not of a medical or scientific
nature. These include - Discussions or descriptions of sexual techniques or
exercises.
■ Sexual relationship counseling

■ Products to improve one’s sex life
■ Explicit discussions of sex and sexuality
■ Sexual orientation issues
■ Lingerie sales
■ Nudism or Naturism
■ Sites that refer to themselves as nudist sites, but are thinly disguised porn
sites and not part of Mature Content, but are covered by the Pornography
category.
Military Sites that are sponsored by military branches or agencies as well as official and
personal sites related to military history, ideology, or specific branches of the
military.
Mobile Entertainment Sites that offer a range of add-ons for handheld devices like ringtones,
wallpapers, games, and videos.
Music Sites that are related to the music industry such as radio Websites, band, or
artist pages, music fan sites, music reviews, music studios and venues, and
lyrics, tablature, and music sheet.
News Sites that primarily report, inform, or comment, on current events or

contemporary issues of the day. Includes sports, weather, editorials, and human
News Wireless
interest news. Examples include:
■ Mainstream news services, daily news, local or regional news

■ Alternative news
■ Internet news broadcasts (audio or video)
■ News-oriented online and print magazines or newspapers
■ News services or personalized news
■ Editorials or opinion columns
Non profit Sites that are owned by non-profit organizations. A non-profit organization
(abbreviated "NPO", also "not-for-profit") is a legally constituted organization
whose primary objective is to support or to actively engage in activities of public
or private interest without any commercial or monetary profit purposes. NPOs
are active in a wide range of areas, like the environment, humanitarian aid,
animal protection, education, the arts, social issues, charities, health care,
politics, religion, research, sports, or other endeavors.
Filtering URLs 125
Occult Sites that promote or offer methods, means of instruction, or other resources
to affect or influence real events through the use of spells, curses, magic powers,
or supernatural beings. Examples are:
■ Magic spells and curses, encompassing both self-defined “black” and “white”
magic
■ Chaos Magick, Crowley, Golden Dawn, Ordo Templi Orientalis
■ Demonolatry (worship of demons)
■ Witchcraft and its practices, rituals, and activities, Wiccan magic,
Pagan/neo-Pagan magic. Asatru (Odinism)
■ Vodun (Voodoo/Santeria)
■ Herbs, tools or paraphernalia for casting spells, summoning demons, or
engaging in other magical behavior or activities
Personal Ads and Sites that promote or provide opportunity for establishing or continuing romantic
Dating or sexual relationships. Examples are:
Personal Ads and ■ Dating portals and directories

Dating Wireless ■ Personal ads like general, regional, lifestyle, 900 numbers, personal pages
that promote or provide personal ads
■ Cyber relationships
■ Dating portals
■ Directories
■ Cyber relationships and dating services, matchmaking services, and e-dating
services
■ International introductions, pen pal agencies, and introduction agencies
Pets Sites and forums related to the care, maintenance, purchase, rescue, or breeding
of any animal for companionship and enjoyment. The category excludes livestock
or laboratory animals which are kept for economic or scientific reasons.
Examples include:
■ Pet care
■ Pet products
■ Animal rescue
■ Pet breeding
Filtering URLs 126
Placeholder Sites that are typically owned by domain name registrars, domain brokers, or
Internet advertising publishers. They usually display dynamically generated
content with the intent to monetize on traffic through linked advertising listings.
Examples of such sites are:
■ Domains for sale

■ Parked domains
■ Expired domains
■ Domains under construction
■ Sites that are “coming soon”
Politics Sites that relate to politicians, election campaigns, political organizations, and
publications. Includes official home pages of politicians and political parties as
well as personal sites about politics and grass-root movements.
Pornography Sites that contain sexually explicit material for the purpose of arousing a sexual
or prurient interest. Examples are:
Pornography Wireless
■ Sex chat rooms and portals
■ Pornography, thumbnail or picpost sites
■ Online pornographic magazines
■ Pornographic picture galleries (general and topic-specific)
■ Pornographic fiction or erotica
■ Phone sex or live video
■ Adult services, escort services, strippers, or mistresses
■ Adult personal ads or Adult-themed dating services
■ Sex toys or marital aids or videos, CD-ROMs, books, fetish clothing
Portal Sites that offer a broad array of resources and services, such as email, forums,
search engines, and online shopping malls. Portals typically publish their own
content or collate multiple sources of information for many areas such as news,
entertainment, sports, technology, and finance.
Real Estate Sites that are commercial and involve in the real estate business. Examples
are:
■ Sites of individual brokers and agents

■ Real estate companies
■ Real estate search or property location services
■ Sites offering real estate tips and advice
Filtering URLs 127
Reference Sites that contain personal, professional, or educational references. Examples

are:
■ Online dictionaries, encyclopedias, thesauri

■ Maps and language translation sites
Religion Sites on religion as any set of beliefs and practices that have the function of
addressing the fundamental questions of human identity, ethics, death, and the
existence of the Divine.
Science Sites that provide research materials in the natural and life sciences.
Search Sites that support searching the Internet, newsgroups , or indices and directories.
Self Harm Sites that describe or discuss ways in which to self harm including eating
disorders and self-injury. Eating disorders sites include:
■ Sites about Anorexia, Bulimia, and Binge eating disorder or compulsive

overeating, compulsive over-exercising, pica, prader-willi syndrome, night
eating syndrome, body dysmorphic disorder, othorexia, and bigorexia
■ Sites supporting eating disorder as a lifestyle choice covering issues like
diet and exercise methods, how to hide your eating disorder, the thin
commandments, and so on.
■ Personal pages, journals, blogs, forums, webrings supporting an eating
disorder lifestyle
■ Picture pages or galleries created for inspiring people with eating disorders,
for example, thinspiration, thinspo.
Self-injury sites include:
■ Sites about self-injury including cutting, punching, hitting, scratching, choking,

self-biting, picking at wounds, and self-poisoning.
■ Personal pages, forums, and clubs that may trigger self-injurious behavior
■ Self injury webrings
■ Pictures of self injury
Sexual Education Sites that provide educational information on reproduction and sexual
development, sexually transmitted disease, contraception, safe sexual practices,
sexuality, and sexual orientation.
Filtering URLs 128
Shopping Sites that provide the means to purchase products or services online. Products
or services that are principally marketed to satisfy industrial or commercial
needs are not included in this category. Examples are:
■ Pages offering an item intended for personal usage for sale, with price,
description, order number, or some combination thereof
■ Internet malls
■ Online auctions
■ Department or retail stores online catalogs
■ Services that are meant to benefit the private individual
Sports Sites that promote or provide information about spectator sports. Examples are:
Sports Wireless ■ Professional sports teams, leagues, organizations, or association sites;

player and fan sites
■ Collegiate football, basketball, etc.; men's and women's; team, league, and
conference sites; player and fan sites
■ Sites for official Olympic Committees; media Olympic portals
■ Sports portals and directories - scores, schedules, news, statistics,
discussion, etc.; spectator sports link aggregations
■ Sports event ticket sales for targeted professional or collegiate sports; sports
tourism
■ Online magazines, newsletters, chats, and forums for targeted professional
and collegiate sports
Streaming Media Sites that host streaming media like television, movies, video, radio, or other
media.
Suicide Sites that describe or promote suicide. Examples are:
■ Suggestions on how to kill yourself; newsgroups; chat rooms; message

boards
■ Descriptions or depictions of methods,systems, or machines; instructions
■ Personal stories; suicide diaries; blogs; forums
■ Famous suicides or details of famous suicides
■ Famous suicide spots
■ Glorification or worshipful attitude to suicide
Filtering URLs 129
Technology and Sites that provide information pertaining to computers, the Internet as well as
Telecommunications telecommunication. Examples are:
■ Software solutions and services

■ Computer and telecommunication hardware, devices, and gadgets
■ Internet and phone access services
■ Technology news
Tobacco Sites that encourage, promote, offer for sale or otherwise encourage the
consumption of tobacco. Examples are:
■ Retailers and manufacturers from the tobacco industry

■ Tobacco products and paraphernalia
■ Smoking is good, glamorous, or cool
■ How to smoke or smoking lessons
Travel Sites that promote or provide opportunity for travel planning in a general sense,
particularly finding, and making travel reservations. Examples are:
Travel Wireless
■ Travel portals, packages, and information (includes tours, travel clubs and
associations, and travel information for specific demographic groups)
■ Air travel (air carriers: tickets/reservations/charters)
■ Sites that facilitate travel-related transportation
(tickets/reservations/charters/rentals of trains, buses, boats, motorcycles.
Does not include car rentals.)
■ Lodging (includes lodging directories and portals)
■ Travel agents and travel auctions
Violence Sites that advocate or provide instructions to cause physical harm to people or
property through use of weapons, explosives, pranks, or other types of violence.
Examples are:
■ Explosives and bombs: How to manufacture, obtain materials, transport, or

seed an area, including but not limited to making explosives using common
household items.
■ Pranks, destructive mischief, "revenge," teenage anarchy including but not
limited to dangerous chemistry
■ Descriptions or instructions for killing people
Filtering URLs 130
Virtual Community Sites that offer a variety of tools and mechanisms to enable a group of people
to communicate and interact by the Internet. Examples include:
■ Social networking
■ Chat and instant messaging
■ Forums & Messageboards
■ Hosting of home pages and other user generated content including audio
and video
Weapons Sites that describe or offer for sale weapons including guns, ammunition, firearm
accessories, knives, and martial arts. Examples are:
■ Online sales of firearms, ammunition, accessories, and knives

■ Descriptions, reviews, specifications, or weapons
■ Weapons retailers, manufacturers, auctions, and trading centers
■ Instructions for manufacture of weapons
Webmail Sites that provide Web based email services that are freely available and
accessible through any Internet browser.
Wedding Sites related to the traditions, customs, planning, and products involved in a
marriage or commitment ceremony as well as in civil unions. Examples are:
■ Wedding planning
■ Wedding products
■ Alternative commitment ceremonies
Symantec periodically updates the predefined URL categories. Symantec Protection Engine
automatically downloads updated categories through LiveUpdate. Symantec might create new
URL categories to address additional content areas as needed. New categories are not active
by default. You must select the new categories that you want to use for URL blocking.
The predefined URL categories cannot be modified.
See “Overriding a URL categorization” on page 137.
Note: If the requested URL belongs to the CAIC category, the URL is replaced with the text
CAIC-URL in all the corresponding messages and logs.

Filtering URLs 131
How to filter a URL
About local categories

You can create your own custom categories. Categories that you create are called local
categories. Access to the URLs that you add to local categories is denied by default. To turn
off a local category, you must change the category configuration.
See “Managing local categories” on page 134.
How to filter a URL

If your client uses ICAP, you can take advantage of the URL filtering capabilities of Symantec
Protection Engine. You must have the appropriate URL filtering licenses to use the URL filtering
features in Symantec Protection Engine.
You can configure URL filtering by taking any of the following steps:
■ Enable URL filtering and select the appropriate filtering mode.
See “Enabling URL filtering in Symantec Protection Engine” on page 132.
■ Specify the URLs (by subject content) to which you want to deny access.
See “Denying access to URLs in URL categories” on page 133.
■ Create and populate local categories with sites to which you want to deny user access.
■ Override URL categorizations by adding URLs to Allow categories.
■ Customize the "Access Denied" message that users see when access to a URL is denied.
About the filtering modes

Symantec Protection Engine lets you scan URLs in audit mode or the filtering mode. The mode
that you use depends on the capabilities of the client application for which Symantec Protection
Engine provides URL filtering. It also depends on the manner in which Symantec Protection
Engine is deployed.
Note: When you change from audit mode to the filtering mode, the URL category and local
category settings revert to settings that you configured (and applied) in the filtering mode.
See “About audit mode in Symantec Protection Engine” on page 132.

See “About filtering mode in Symantec Protection Engine” on page 132.
Filtering URLs 132
How to filter a URL
About filtering mode in Symantec Protection Engine

When Symantec Protection Engine operates in the filtering mode, Symantec Protection Engine
handles URL filtering and the denial-of-access to restricted sites.
Specify the categories to deny. Based on your configuration, Symantec Protection Engine
determines whether to deny access for each request. If access is denied, Symantec Protection
Engine returns an "Access Denied" message to the user.
When Symantec Protection Engine scans in the filtering mode, it stops scanning when the first
URL match is found.
About audit mode in Symantec Protection Engine

When Symantec Protection Engine operates in audit mode, the ICAP client handles the
application of URL filtering and the denial-of-access to restricted sites.
Symantec Protection Engine provides the ICAP client with the information that is necessary
to determine whether a site should be blocked. The client decides how the request is handled.
When you select audit mode, all URL categories and local categories are automatically included
in the Audit list. You cannot select specific categories to include in the Audit list. However, you
can add and delete local categories.
For each request from the ICAP client, Symantec Protection Engine matches the request
against all categories. Symantec Protection Engine notifies the client if the requested URL is
contained in any URL category or local category. Based on the information that Symantec
Protection Engine returns, the ICAP client determines whether the site should be blocked.
When Symantec Protection Engine scans in audit mode, scanning does not stop when a single
URL match is found. It continues to scan against all categories. Symantec Protection Engine
provides the results to the ICAP client so that it has all of the information it needs to handle
the request.
Enabling URL filtering in Symantec Protection Engine

Symantec Protection Engine is provided with minimum URL definitions. We recommend you
to run LiveUpdate and update the URL definitions before you start URL filtering.
Filtering URLs 133
How to filter a URL
URL filtering can be enabled during installation. If you did not enable URL filtering during
installation, follow the steps below to enable it.
See “To enable URL filtering” on page 133.
To enable URL filtering
3 On the URL tab, under URL Filtering, select Enable URL Filtering and download URL
Filtering definitions.
4 Under Enable URL Filtering and download URL Filtering definitions, select Filtering
mode or Audit mode.
to apply them.
Denying access to URLs in URL categories

Symantec Protection Engine includes predefined URL categories. URL categories consist of
URLs that contain related subject matter. You can deny access to URLs when you add the
category to the Deny Access list. When you deny access to a URL category, access to the
URLs that are contained in that category is denied. However, you can override the categorization
of a URL.
See “To deny access to URL categories” on page 134.
Note: Symantec Protection Engine automatically encodes and saves the text strings in
Unicode/UTF-8 when you apply your changes in the console.
None of the URL categories are in the Deny Access list and access to the URLs in every
category is permitted by default. You must select the URL categories that you want to add to
the Deny Access list.
Filtering URLs 134
How to filter a URL
To deny access to URL categories

4 Under Configure Categories, select Deny Access for each URL category for which you
want to deny access.
to apply them.
Managing local categories

You can create your own custom categories. Categories that you create are called local
categories. You can use local categories to deny access to sites that have not been categorized
in one of the predefined URL categories. Access is denied to the URLs that are associated
with the local categories and are in the Deny Access list.
Local categories are denied by default (that is, they are in the Deny Access list). To permit
access to URLs in a local category, you must change the category configuration.
When you add URLs to a local category, you can be as specific or as general as you want.
Symantec Protection Engine looks for the most exact match when a URL is checked. Based
on the entry in a category, you can block or allow individual Web pages or entire directories,
computers, or domains.
Table 7-2 provides examples of how you can vary the URLs that you enter in the categories
to provide general or specific blocking.
Table 7-2 Filtering by URL
Filtered URL Effect
www.symantecexample.com/pics/apr.html Matches this one specific page
www.symantecexample.com/pics Matches the entire directory
www.symantecexample.com Matches this computer

Filtering URLs 135
How to filter a URL
Table 7-2 Filtering by URL (continued)
Filtered URL Effect
symantecexample.com Matches the entire domain
For example, if you add the domain symantecexample.com to a denied category, access to
all URLs in that domain is denied. If you want to deny access to one of the URLs within that
domain, add a more specific URL to one of the local categories. For example,
www.symantecexample.com/daily-news. Because Symantec Protection Engine looks for the
most exact match, access to the specific URL is allowed. Access is denied to any other content
from that domain.
Note: You cannot allow or deny access to a URL based on Internet protocol (for example,
HTTP, FTP, and HTTPS). When you add a URL to a local category and deny access to that
category, all connections are uniformly blocked.
You can manage local categories as follows:

■ Create a local category.
You can create up to 256 local categories.
■ Delete a local category.
■ Add a URL to a local category.
Use host names rather than IP addresses.
■ Delete a URL from a local category.
To create a local category
4 Under Tasks, click Add Local Category.
In the content area on the URL tab, under Local Categories, the new category displays
in the list of local categories. The category is temporarily called: rename.
Filtering URLs 136
How to filter a URL
5 Type a new name for the category.

Categories can be up to 64 characters in length. Category names are not case-sensitive.
Local categories are denied by default.
to apply them.
To delete a local category

2 Under Local Categories, select the category you want to delete from the list of local
categories.
3 In the sidebar under Tasks, click Delete Local Category.
to apply them.
To add a URL to a local category

2 Under Local Categories, select the category to which you want to add a URL from the
list of local categories.
Filtering URLs 137
How to filter a URL
3 In the URLs associated with selected Local Category (maximum 999 characters per
URL) box, type the URL that you want to add.
Type one URL per line. You can enter maximum 999 characters per URL.
to apply them.
To delete a URL from a local category

2 Under Local Categories, select the local category from which you want to delete a URL.
The URLs that are contained in the selected category are displayed in the URLs associated
with selected Local Category (maximum 999 characters per URL) box.
3 In the URLs associated with selected Local Category (maximum 999 characters per URL)
box, highlight the URL that you want to remove, and then press Delete.
to apply them.

Overriding a URL categorization

You can override the categorization of a URL in a predefined URL category by adding the URL
to the URL List Override. URLs that are contained in the URL List Override are always permitted.
When a URL request is submitted, Symantec Protection Engine checks the URL List Override
before it checks the categories in the Deny Access list. If it finds a match in the URL List
Filtering URLs 138
How to filter a URL
Override, it does not check the Deny Access list categories. The URL List Override functions
in the same manner for both audit and filtering mode.
Add only the URLs to the URL List Override that you know contain acceptable material. When
you place a URL in the URL List Override, you permit unconditional access to the URL.
Note: You cannot allow or deny access to a URL based on Internet protocol (for example,
HTTP, FTP, and HTTPS). When a URL is contained in a local category that is in the Deny
Access list, all connections are uniformly blocked.
To override a URL categorization

4 Under URL List Override (maximum 999 characters per URL), type the URL for which
you want to allow access.
Type one URL per line. You can enter maximum 999 characters per URL.
to apply them.
Customizing the access denied message

Symantec Protection Engine displays an Access denied message to the user when access to
a Web site is blocked. The default message is as follows:
Access to the destination ${URL_REQUESTED} is prohibited. ${REASON}
You can customize the message using the following variables:
${URL_REQUESTED} The URL address that the user requested.

Filtering URLs 139
About URL Reputation
${REASON} An explanation of why the URL address that the user requests is blocked.
When a Web site is blocked due to URL violation, the ${REASON} variable
reads as follows:
Found in denied list <(category)>
where<(category)> is the URL or local category that contains the URL that
is denied.
See “To customize the access denied message” on page 139.

To customize the access denied message
4 Under Access Denied Message, customize the user notification message.
to apply them.

About URL Reputation

URL Reputation feature identifies threats from domains and URLs, which can be hosting
malicious content like malware, fraud, phishing, and spam etc. The URL Reputation feature
lets you block access to the web addresses that are identified as known sources of the malicious
content.
The URL Reputation feature restricts access to the URLs and domain based on the reputation
and confidence level. Symantec assigns confidence and reputation ratings to each identified
web address. You can choose threshold settings for these ratings as per your requirements.
Confidence is a measure of how sure we are of the validity of the information and reports.
Confidence is rated on a 1 to 5 scale, where 1 is the baseline confidence and 5 is a very high
Filtering URLs 140
Configuring URL Reputation
confidence. Reputation takes into account all domain/URL-specific and behavior-specific

ratings. The Reputation is rated is on a scale of 1 to 10. Where 1 is the baseline reputation
required for inclusion in the feed and 10 is the worst possible reputation.
URL Reputation definitions can be updated using Symantec LiveUpdate mechanism.
See “Configuring URL Reputation ” on page 140.
See “Configuring the additional parameters of URL Reputation” on page 276.
Configuring URL Reputation

The URL Reputation feature is disabled by default. You must enable it and configure the
additional parameters as per your requirements.
To configure URL Reputation
3 On the URL tab, under URL Reputation, select Enable URL Reputation and download
URL Reputation definitions.
4 Select the URL reputation level from the Reputation list.
Reputation level is the value that provides information on how bad the Domain/URL is.
This level is dynamic in nature and can vary with definitions update.
5 Select the URL confidence level from the Confidence list.
Confidence is a measure of how confident Symantec is of the validity of the information
and reports. This value is dynamic in nature and can vary with definitions update.
Use this option to continue making changes in the console until you
are ready to apply them.
Chapter 8
Logging data, issuing alerts,
and generating reports
■ About logging data
■ About configuring local logging
■ Configuring logging to the Linux Syslog
■ About configuring alerts
■ About reports
About logging data

Symantec Protection Engine provides several logging and alert destinations. You can activate
logging to each available destination by selecting a logging level that you want for that
destination. You can then choose the types of events for which log messages are generated.
For each logging destination that you choose, you can select a different logging level.
Logging destinations
Table 8-1 shows the destinations to which Symantec Protection Engine can forward log events.
Logging data, issuing alerts, and generating reports 142
About logging data
Table 8-1 Logging destinations
Destination Description
Local logs Symantec Protection Engine logs events to the local logs by default. The default
location for the local logs for Linux is /opt/SYMCScan/log. You can change the
location of the logs. You can use the reporting functions to view the local logs.
Statistics logs Statistics logs are used to report the following cumulative scan data:
■ Total number of files that are scanned, and quarantined

■ Total megabytes scanned
■ Types of violations that are found by violation type
You must enable logging to the statistics logs so that you can view statistics reports.
Scan data is logged daily to the statistics log files. You can use the reporting functions
to view the statistics data.
Abort log Information is logged to the abort log only when Symantec Protection Engine fails
to start before the standard protection engine logging is initiated. This failure can
occur, for example, if the XML does not validate. If this failure occurs, information
about the failure is written to the abort log file,
SymantecProtectionEngineAbortLog.txt. This file is located in the installation directory
(/opt/SYMCScan).
Logging levels and events

You can select a different logging level for each logging and alert notification destination.
Table 8-2 lists the events for which messages are generated at each logging level.
Table 8-2 Events by logging level
Logging level Events logged
None None
About logging data
Table 8-2 Events by logging level (continued)
Error The following events are logged:

■ All of the events that are logged at the Audit logging level
■ Definitions corrupted
■ Definitions update failure
■ Licensing error
■ Scan error
■ Critical error
■ Crash error
■ Logging error (SMTP/SNMP user notification)
Entries for this event are only logged to the local logs.
■ File name exceeded
Outbreak The following events are logged:
■ All of the events that are logged at the Error logging level
■ File attribute outbreak alert
■ URL block outbreak alert
■ Nonviral outbreak alert
■ Viral outbreak alert
■ Container limit outbreak alert
About logging data
Warning The following events are logged:

■ All of the events that are logged at the Outbreak logging level
■ Definitions rollback failed
■ Infection found
■ Spyware Risk
■ Adware Risk
■ Other Security Risk
■ Container violation found
■ File attribute violation found
■ Definitions rollback
■ Licensing warning
■ URL block
■ File Access Allowed
■ Symantec Protection Engine has not received configured number of requests
■ Scanning feature hung or protection engine is overloaded
■ Scan request rejected
■ Failed to create self scan test file
■ User login failed
■ Bad ICAP request
■ AV Connector has been disabled
■ A VServer has been disconnected from AV Connector
■ Symantec Protection Engine has failed to extract the file
Information The following events are logged:
■ All of the events that are logged at the Warning logging level
■ Version information
■ URL audit detection
■ Definitions update
■ LiveUpdate up-to-date
■ LiveUpdate succeeded
■ User logged in
■ Symantec Protection Engine has not scanned the file
■ The AV Connector version and status information is provided
About logging data
Verbose The following events are logged:

■ All of the events that are logged at the Information logging level
■ Outbreak alerts for the configured events
■ All of the events that are logged at the Warning logging level
■ All of the events that are logged at the Information logging level
■ Files scanned
■ URLs scanned
Note: The Verbose logging level should only be selected for debugging purposes.
Performance is significantly degraded if you activate this logging level for general
logging.
Specifying the log bind address

You can set a log bind address for each Symantec Protection Engine so that you can more
easily identify the originating protection engine. When you use this feature, the log bind address
of the originating Symantec Protection Engine is included in all alert messages.
For example, setting the log bind address is helpful if you have multiple Symantec Protection
Engines that listen on the loopback interface (127.0.0.1). The IP address on which Symantec
Protection Engine listens is used in SNMP and SMTP alert messages to identify the originating
Symantec Protection Engine. Therefore, it is not possible to determine which Symantec
Protection Engine originated the message when more than one uses the loopback interface.
You can set a unique log bind address for each Symantec Protection Engine to provide a
method for identifying each Symantec Protection Engine.
If your client uses ICAP and you do not specify a log bind address, Symantec Protection Engine
selects one for you. Symantec Protection Engine determines the log bind address based on
the scanning bind addresses that you enable on the Configuration > Protocol page.
Symantec Protection Engine determines the log bind address based on the following conditions:
No bind address is selected in the ICAP The logging bind address is the first bind address
Configuration Bind address table. in the ICAP Configuration Bind address table on the
Configuration > Protocol page.
If the first bind address is the localhost, then the

Logging IP address is the second bind address in
the list.
About configuring local logging
One or more bind addresses are selected in the The logging bind address is the first non-local host
ICAP Configuration Bind address table. IP address from the selected bind addresses in the
ICAP Configuration Bind address table on the
Configuration > Protocol page.
See “To specify the log bind address” on page 146.

To specify the log bind address
3 In the content area under Logging Properties, in the Log bind address box, type an IP
address to identify the computer on which Symantec Protection Engine is running.
to apply them.

You can change the types of events that are logged to the local logs.
You can also perform any of the following tasks:
■ Change the local logging level.
See “Specifying the local logging level” on page 147.
■ Change the directory where log files are located.
See “Changing the directory where log files are located” on page 147.
■ Change the length of time that the log files are maintained.
See “Changing the length of time that log files are maintained” on page 148.
■ Enable statistics reporting.
■ Enable resource consumption logging.
Specifying the local logging level

Symantec Protection Engine sends logging events to the local logs by default. You can change
the types of events that are sent to the local logs. The default logging level for the local logs
is Warning.
See “To specify the local logging level” on page 147.
To specify the local logging level
3 In the content area under Local Logging, in the Local logging level list, select the
appropriate local logging level.
The default logging level is Warnings. Select Verbose only if you have been instructed to
do so by Symantec Technical Support to troubleshoot issues.
to apply them.
Changing the directory where log files are located

You can change the location of the local log file and the statistics log files. You cannot change
the file names. The default location for the log files for Linux is opt/SYMCScan/log.
Symantec Protection Engine creates a new local log file for each day. The file names have
the following format: SSEyyyymmdd.log, where yyyy is the year, mm is the month, and dd is
the day.
The disk space that is required for the log files varies, depending upon your scan volume,
associated activity, and how long you retain the log files. The specified location must be large
enough to accommodate these files. If you change the log file location, old log files remain in
the former directory and are not removed during uninstallation. Old logs must be removed
manually.
See “To change the directory where log files are located” on page 148.
To change the directory where log files are located
3 In the content area under Local Logging, in the Log files directory box, type the path
to the new location for the log files.
The file directory that you specify must already exist. Symantec Protection Engine validates
the existence of the directory when you save or apply your changes.
to apply them.
Changing the length of time that log files are maintained

Symantec Protection Engine creates a new log file for each day. You can specify the number
of log files that Symantec Protection Engine retains to keep the log directory at a manageable
size. Thus, when the maximum number of log files is reached, the oldest log file is removed
on a daily basis. In its default configuration, this setting is enabled and the default value is 0.
That means all the log files are retained.
See “Exporting local log data to a file” on page 157.
To change the length of time that log files are maintained
3 In the content area under Local Logging, in the Number of log files to retain (one per
day) box, type the number of individual log files to retain.
The default setting is enabled (0) so that all the log files are retained.
to apply them.
Enabling statistics reporting in Symantec Protection Engine

You can configure Symantec Protection Engine to maintain and report cumulative scan data.
You must enable logging to the statistics logs so that you can view statistics reports. You can
select a date range and time range for the report and view the scanning statistics for that range.
See “Viewing statistics log data” on page 158.
Symantec Protection Engine creates a new statistics log file for each day. The file name has
the following format: SSEyyyymmdd.dat, where yyyy is the year, mm is the month, and dd is
the day.
The statistics log files are stored in the same location as the log files. The default location for
the log files for Linux is /opt/SYMCScan/log.
See “To enable statistics reporting” on page 149.
To enable statistics reporting
Configuring logging to the Linux Syslog
3 In the content area under Local Logging, check Enable statistics reporting.
Statistics reporting is enabled by default.
to apply them.
Configuring logging to the Linux Syslog

If you are running Symantec Protection Engine on Linux, you can configure Symantec Protection
Engine to log events to the Linux Syslog. You can also select the types of events that are
logged. The default logging level is None (deactivated). Logs are saved at /var/log/messages
location.
You must be running Symantec Protection Engine on Linux to use this feature.
To configure logging to the Linux Syslog
3 In the content area under Linux Syslog Logging, in the Linux logging level list, select
the appropriate logging level.
The default logging level for the Linux Syslog is None.
Use this option to continue making changes in the console until you are
See “Configuring logging to the Linux Syslog in the Core server only mode” on page 211.
About configuring alerts

In addition to the local log, you can send alerts using Simple Network Management Protocol
(SNMP) and Simple Mail Transfer Protocol (SMTP). You can select a notification level to
control the amount and the type of alerts that are sent.
See “Activating SMTP alerts” on page 151.
See “Activating SNMP alerts” on page 152.
If you activate SNMP or SMTP alerts and are running multiple Symantec Protection Engines,
set a log bind address for each one. Separate log bind addresses let you identify the originating
Symantec Protection Engine for each SNMP and SMTP alert message.
See “Specifying the log bind address” on page 145.
You also can activate outbreak alerts. Symantec Protection Engine can issue alerts when a
specified number of the same type of threat or violation occurs in a given time interval. Outbreak
alerts provide an early warning of a potential outbreak so that you can take the necessary
precautions to protect your network.
See “Configuring outbreak alerts” on page 153.
Activating SMTP alerts

When you activate SMTP alerts, you must identify a primary SMTP server for forwarding alert
messages. You must also specify the email addresses of the recipients and the local domain
for Symantec Protection Engine. You can specify a second SMTP server if one is available.
You must select the types of events for which SMTP alert messages are generated.
See “To activate SMTP alerts” on page 151.
To activate SMTP alerts
2 In the sidebar under Views, click Alerting.
3 In the content area under SMTP Notifications, in the SMTP notification level list, select
the SMTP notification level.
SMTP alerts are not activated by default. The SMTP notification level is set to None. The
Verbose notification level is not available for SMTP alerting.
4 In the Primary server address box, type the IP address or host name of the primary
SMTP server that forwards the alert messages.
5 In the Secondary server address box, type the IP address or host name of a secondary
SMTP server (if one is available) that forwards the alert messages if communication with
the primary SMTP server fails.
6 In the SMTP domain box, type the local domain for Symantec Protection Engine.
The domain name is added to the From box for SMTP messages. SMTP alert messages
that Symantec Protection Engine generates originate from
SymantecProtectionEngine@<domainname>, where <domainname> is the domain name
that you specify in the SMTP domain box.
7 In the Email recipients box, type the email addresses of the recipients of the SMTP alert
messages.
Type one email address per line.
to apply them.
Activating SNMP alerts

To activate SNMP alerts, you must provide the SNMP community string and an IP address
for a primary SNMP console for receiving the alert messages. You can specify a second SNMP
console if one is available. A secondary SNMP console is optional. Alert messages are sent
to the primary SNMP console and secondary SNMP console in all instances. You can also
configure ports for the primary server and secondary server.
The Management Information Base file (symantecprotectionengine.mib) is located in the
Tools\MIB folder in the Symantec_Protection_Engine_Tools_8.1.0.XX_IN.zip file. You
can use the symantecprotectionengine.mib file to configure the SNMP alerts.
You must select the types of events for which SNMP alert messages are generated.
See “To activate SNMP alerts” on page 153.
To activate SNMP alerts

2 In the sidebar under Views, click Alerting.
3 In the content area under SNMP Notifications, in the SNMP notification level list, select
the SNMP notification level.
SNMP alerts are not activated by default. The SNMP notification level is set to None. The
Verbose notification level is not available for SNMP alerting.
4 In the Primary server address box, type the computer name or IP address of the primary
SNMP console to receive the alert messages.
5 In the Primary server port box, type the port of the primary SNMP console to receive
the alert messages.
The default value is 162.
6 In the Secondary server address box, type the computer name or IP address of a
secondary SNMP console to receive the alert messages, if one is available.
7 In the Secondary server port box, type the port of a secondary SNMP console to receive
the alert messages, if one is available.
The default value is 162.
8 In the SNMP community box, type the SNMP community string.
The default setting is public.
to apply them.
Configuring outbreak alerts

Symantec Protection Engine can issue alerts when a specified number of the same type of
threat or policy violation occurs in a given time interval. You can use outbreak alerts as an
early warning for potential outbreaks. Alerts of outbreaks can help you take the necessary
You can select the types of events for which you want to receive alerts. For each event type,
you can configure the threshold number of occurrences and the time interval. If the number
of occurrences meets or exceeds the configured threshold for the selected interval, Symantec
Protection Engine generates an alert.
See “Configuring outbreak alerts” on page 153.
Table 8-3 lists the outbreak alert events that you can configure.
Table 8-3 Outbreak alert events
Event Description
Any viral threat A viral threat was detected
Same viral threat One or more incidence of the same type of viral threat was detected
Blocked URLs A URL was blocked due to a URL filtering violation
Container limit A maximum file extraction size or depth was met or exceeded
File attribute Any file attribute violation was detected
Any nonviral A nonviral threat was detected

threats
Same nonviral One or more incidence of the same type of nonviral threat was detected
threat
High risk rating A high risk rating threat was detected

threats
Medium risk rating A medium risk rating threat was detected

threats
To configure outbreak alerts

2 In the sidebar under Views, click Outbreak.
3 In the content area under Outbreak Management, check the events for which you want
to receive alerts.
You must select Outbreak alerting (or a higher logging level that includes outbreak alerting)
for at least one logging destination to generate an outbreak alert.
4 For each selected event type, do the following in the order given:
■ Under Occurrences, type the occurrence threshold.
The default value is 2. You can use any value from 2 to 100000.
About reports
■ Under Time Interval, type the number of minutes within which the threshold number
of events must occur to generate an outbreak alert.
The default value is 1. You can use any range from 1 to 100000.
to apply them.

About reports
You can use the Symantec Protection Engine reporting functionality to manage your local log
file data. The log data that is stored in the log files depends on the logging level that you select
for local logging. Local logging is activated by default at the Warning level. If you select a type
of log entry for a report that is not logged at the configured logging level, no data is available.
When working in the Core server with user interface mode, you can manage reports through
the Symantec Protection Engine console by doing any of the following actions:
■ Generate a report of log data from the local logs.
The local log files cannot be read directly. You must use the reporting function to view the
local logs. Local logging is the default logging destination.
See “Viewing the local log data” on page 156.
■ Export selected local log data in a comma-separated value (.csv) format.
■ Generate a report of statistics information that is contained in the statistics logs.
The statistics log files are in .csv format and can be read or imported into a spreadsheet
program. You must use the reporting function to view the statistics logs.
■ View summary report on Symantec Protection Engine home page.
See “Viewing summary report on Symantec Protection Engine home page” on page 160.
When working in the Core server only mode, you can manage reports, using the logconverter
utility provided in the installation directory, by doing any of the following actions:
About reports
■ Generate a report of log data from the local logs in plain text format.
■ Export local log data in a comma-separated value (.csv) format.
■ Export local log data in an html format.
Viewing the local log data

You can use the reporting feature to view the log data from the local logs. The local log files
cannot be read directly. The reporting feature formats the local logs in an HTML table that
displays in the browser window. You can choose a date range and time range for which you
want to view log data. You can also select one or more types of log entries that you want to
view.
Local logging is the default logging destination. Local logging is activated by default at the
Warning level. The log data that is stored in the log files depends on the logging level that you
select for local logging. If you select a type of log entry for a report that is not logged at the
configured logging level, no data is available.
Note: To view the HTML report, you must disable any pop-up blockers that are running on
your computer.
To view the local log data

2 In the sidebar under Views, click Detailed.
3 In the content area under Log View Page, in the Date range from boxes, type the start
date and the end date for the range you want to report.
Use the following date format:
MM/DD/YY
For example, 02/25/08 is February 25, 2008.
4 In the Time range from boxes, type the daily start times and the end times for the time
range that you want to report.
Use the following time format:
HH:MM:SS
Use a 24-hour time format. For example, 23:30:00 is 11:30 P.M.
About reports
5 Check any activities for which you want to view the log data.
Check all of the options that apply.
Press Ctrl+A to select all items in every category. Press Ctrl+Z to unselect all items in
every category.
See “About reports” on page 155.
Exporting local log data to a file

You can export the log data to a file in a comma-separated value (.csv) format. You can choose
a date range and time range for which you want to export data. You can also select one or
more types of log entries that you want to export.
Note: If you try to download large log files during periods of peak usage, the performance of
Symantec Protection Engine might be affected.
To export local log data to a file

2 In the sidebar under Views, click Detailed.
3 In the content area under Log View Page, in the Date range from boxes, type the start
date and end dates for the date range that you want.
MM/DD/YY
4 In the Time range from boxes, type the daily start times and the end times for the time
range that you want.
HH:MM:SS
5 Check any activities for which you want to export the log data.
Check all of the options that apply.
Press Ctrl+A to select all items in every category. Press Ctrl+Z to unselect all items in
every category.
6 In the sidebar under Tasks, click Export (CSV).
About reports
7 In the Save logs dialog box, in the Save in list, select the file location where you want to
save the report.
8 In the File name box, type the file name, and then click Save.
Viewing statistics log data

You can use the reporting feature to view the log data from the statistics logs. You can choose
a date range and time range for which you want to view the statistics data. You can also select
one or more types of statistics that you want to view.
Statistic logs are used to report the following cumulative scan data:
■ Total number of files that are scanned and quarantined; and total megabytes scanned
■ Number of files rated as high, medium or low risk.
■ Number of infected files.
■ Types of violations that Symantec Protection Engine found by violation type
■ Number of encrypted containers
■ Total number of scanned and blocked URLs and the number of URL audits
Note: You must enable logging to the statistics logs. After you enable logging to the statistics
logs, you can use the statistics reporting feature to view the statistics.
You can obtain summary data from the local logs for a given period of time. For the reported
period, you can review the total number of risks that were found.
The default logging destination for Symantec Protection Engine is the local logs. The default
location for the local logs on Linux is /opt/SYMCScan/log. You can change the location of the
logs.
The statistics do not represent a literal physical file count of the total number of files that have
been scanned. This total includes not only the number of files but also the additional objects
within the container files that were scanned. Some containers (such as MIME-encoded
messages and Microsoft Office documents) have additional embedded objects. These
embedded objects might not be files, but they might be scanned depending on the files that
you have selected for scanning. The total does not include any objects within the container
files that were not scanned because their extensions did not match those configured for
scanning.
About reports
To view statistics log data

2 In the sidebar under Views, click Statistics.
3 In the content area under Statistics View, in the Date range from boxes, type the start
date and end date for the range you want to report.
MM/DD/YY
4 In the Time range from boxes, type the daily start and end times for which you want to
report.
HH:MM:SS
About summary report on Symantec Protection Engine home page

The home page of Symantec Protection Engine displays summary of all scanning activities.
Symantec Protection Engine displays the following summary:
Table 8-4 Symantec Protection Engine summary
Category Activity
Overall Viral Statistics ■ Viruses found
Generic Status ■ Total requests

■ URLs scanned
■ Files scanned
■ Total files scanned
■ Data scanned
■ Total data scanned
Overall Non Viral Statistics Security Risks
Quarantine Files quarantined

About reports
Table 8-4 Symantec Protection Engine summary (continued)
Category Activity
Filtering ■ URL Filtering Blocks

■ URL Reputation Blocks
From version 7.0, Symantec Protection Engine is capable of calculating and retaining cumulative
scan data since installation in addition to retaining data since last restart.
You can configure the following on the Symantec Protection Engine home page:
■ Display summary since installation.
■ Display summary since last restart.
■ Auto-refresh the home page every one minute.
Symantec Protection Engine home page also shows a graphical representation of scanning
activities and threat risk ratings for the selected time frame.
See “Auto-refreshing Symantec Protection Engine home page” on page 161.
Viewing summary report on Symantec Protection Engine home page

The Symantec Protection Engine home page displays summary of all scanning activities. You
can configure Symantec Protection Engine to display a summary of scanning activities since
installation or last restart. Symantec Protection Engine also shows a graphical representation
of scanning activities for the selected time frame.
About reports
To view summary report on Symantec Protection Engine home page

1 In the console on the primary navigation bar, click Home.
2 In the content area, in the Report Statistics Since drop-down list select any one of the
following:
Installation Displays a summary report of scanning activities

since installation.
Last Restart Displays a summary report of scanning activities

since last restart.
By default, Symantec Protection Engine displays

scanning activities since last restart.


apply them.
See “About summary report on Symantec Protection Engine home page” on page 159.
See “Auto-refreshing Symantec Protection Engine home page” on page 161.
Auto-refreshing Symantec Protection Engine home page

The Symantec Protection Engine home page displays the summary of scanning activities. You
can configure Symantec Protection Engine to auto-refresh the home page every one minute
to display the latest cumulative scan data.
About reports
To auto-refresh Symantec Protection Engine home page

1 In the console on the primary navigation bar, click Home.
2 In the content area, select the Auto Refresh box.
Symantec Protection Engine automatically refreshes the home page every one minute.
Use this option to continue making changes in the console until you are
See “About summary report on Symantec Protection Engine home page” on page 159.
Chapter 9
Keeping your product up to
date
■ About content updates
■ About LiveUpdate
■ Rolling back URL definitions
About content updates

The content updates ensure that your Symantec Protection Engine server is up-to-date with
the most current Antivirus and URL definitions. You can update Symantec Protection Engine
with the latest definitions without any interruption in scanning.
About definition updates

Symantec provides updates for the following types of definitions:
Antivirus Definition files contain the necessary information to detect and eliminate risks, such
as viruses and adware. Symantec supplies updated definition files every day and
whenever a new risk is discovered.
Symantec Protection Engine automatically uses the most current definition files for
scanning.
Keeping your product up to date 164
About LiveUpdate
URL Symantec periodically supplies updated URL definition files. If you subscribe to
content updates, Symantec Protection Engine automatically downloads updated
URL definitions through LiveUpdate. Symantec might create new URL categories
to address emerging URLs as needed. If you subscribe to the content updates, any
new categories are automatically downloaded with the regular updates to the existing
categories.
Symantec Protection Engine automatically uses the most current definition files for
scanning. However, if a problem is discovered with the current URL definitions, you
can revert to the previous set of URL definitions.
You must update Antivirus and URL definitions using LiveUpdate. When you perform a content
update, Symantec Protection Engine downloads and installs the most current definitions. You
must have a valid license to update definitions.
If an error occurs, Symantec Protection Engine tries to roll back to the previous definitions. If
the rollback is successful, Symantec Protection Engine continues scanning using the previous
definitions. If the rollback is unsuccessful, scanning is disabled.
About updating your protection

You must use LiveUpdate to automatically update your protection from risks and HTTP content
filtering violations. When LiveUpdate runs, it downloads and installs the latest definitions. You
can configure LiveUpdate to run on a scheduled basis, or you can run it manually. Updates
are available multiple times in a day.
You must have a valid content license to install definition files. A content license is a grant by
Symantec Corporation for you to update Symantec corporate software with the latest associated
content, such as new definitions. When you do not have a content license or your license
expires, your product does not receive the most current definitions. Outdated definitions can
leave your servers vulnerable to risks.
See “About LiveUpdate” on page 164.
About LiveUpdate
When you install or upgrade Symantec Protection Engine, LiveUpdate is enabled by default
to run every two hours. You can modify this schedule, or you can run LiveUpdate manually.
You can also use the XML modifier command-line tool to configure the number of times
Symantec Protection Engine tries to perform a LiveUpdate.
About LiveUpdate
The Symantec Protection Engine LiveUpdate configuration file contains the configuration
options for LiveUpdate. The LiveUpdate configuration file is stored the following locations by
default:
Linux /opt/SYMCScan/bin/liveupdate.xml
When Symantec Protection Engine performs a LiveUpdate, the definitions that are downloaded
are automatically selected as the active definitions. You can revert to the previous versions of
the URL definitions. The definition set that you choose remains active until the next LiveUpdate
occurs, which then becomes the active definition set.
Note: If Symantec Protection Engine is running with a non-root user, that user must have the
required permissions for a license file in /opt/Symantec directory for LiveUpdate to work.
To edit the LiveUpdate server details, See “Configure the LiveUpdate server details” on page 266.
See “Configuring LiveUpdate to occur automatically” on page 165.
See “Performing LiveUpdate on demand” on page 166.
Configuring LiveUpdate to occur automatically

You can schedule LiveUpdate to occur automatically at a specified time interval to ensure that
Symantec Protection Engine always has the most current definitions. When you install a valid
antivirus content license or URL content license, Symantec Protection Engine automatically
tries to perform a LiveUpdate. By default, Symantec Protection Engine is configured to perform
a LiveUpdate every two hours.
When LiveUpdate is scheduled, it runs at the specified time interval that is relative to the
LiveUpdate base time. The default LiveUpdate base time is the time that Symantec Protection
Engine was installed. You can change the LiveUpdate base time by editing the configuration
file. If you change the scheduled LiveUpdate interval, the interval adjusts based on the
LiveUpdate base time.
You can also schedule LiveUpdate to occur at a specific time or a time range of the day. You
can specify the hour and minute of the day, and the LiveUpdate will trigger at the specified
time. If you don’t want LiveUpdate to trigger exactly at start hour and minute, you can specify
the time range of 30 minutes. LiveUpdate triggers at random time between the specified time
range. You can configure this option in Core server only mode. For more information, see
Note: If you configure LiveUpdate to trigger at a specific frequency and also at a specific time
or range of the day, LiveUpdate at a specific time or range takes the precedence.
About LiveUpdate
See “Change the LiveUpdate base time” on page 265.

See “To configure LiveUpdate to occur automatically” on page 166.
To configure LiveUpdate to occur automatically
2 In the sidebar under Views, click LiveUpdate Content.
3 In the content area under LiveUpdate Content, check Enable scheduled LiveUpdate.
The default setting is enabled.
4 In the LiveUpdate interval drop-down list, select the interval.
You can choose from 2, 4, 8, 10, 12, or 24-hour intervals. The default setting is 2 hours.
to apply them.
Performing LiveUpdate on demand

You can run LiveUpdate on demand to force an immediate update of definitions. If you have
scheduled LiveUpdate, the next scheduled LiveUpdate try occurs at its scheduled time.
To perform LiveUpdate on demand
3 Under Definition Details, select a definitions set that you want to update.
4 Under Tasks, click LiveUpdate Content.
See “Performing LiveUpdate on demand in the Core server only mode ” on page 221.
About editing the LiveUpdate XML file

You must configure LiveUpdate in the liveupdate.xml file so that Symantec Protection Engine
always has the most current definition files.
About LiveUpdate
Table 9-1 lists the default parameters that are added to the liveupdate.xml file.
Table 9-1 Default Parameters in liveupdate.xml file
Parameter Description
Protocol Updated definition files are retrieved through HTTP. This

information is required unless you use a host file. The default
setting for the LiveUpdate transport protocol is HTTP.
See “Configure the LiveUpdate server details” on page 266.
Server name Symantec Protection Engine contacts a specified server to

check for and to retrieve updated definition files. You must
supply the appropriate LiveUpdate server name. The default
server is liveupdate.symantec.com.
Port You must specify the TCP/IP port the LiveUpdate server server
is listening on. The default value is 80.
Path Specify the directory on the LiveUpdate server that contains

the LiveUpdate packages.
Note: This is an optional parameter.
User name Specify a user name to log on to the LiveUpdate server.

Password Specify a password to log on to the LiveUpdate server.

About LiveUpdate logging

Symantec Protection Engine downloads seven types of definitions to ensure that your network
is up-to-date with the most current antivirus, URL, and Insight definitions.
Table 9-2 lists the various LiveUpdate definitions and their description.
About LiveUpdate
Table 9-2 LiveUpdate definitions
Definition Definition type Description
Antivirus Antivirus These definitions updates ensure that Symantec

Protection Engine can detect potential threats
and risks.
URL Symantec URL These definitions update the predefined URL

categories.
CAIC URL These definitions update the Child Abuse Image

Content (CAIC) URL categories.
URL Reputation These definitions update the IP, Domain/URL

Reputation feeds.
About types of logging

The LiveUpdate definition status is logged in the following two types of logs:
■ Basic LiveUpdate logs
See “About basic LiveUpdate logs” on page 168.
■ Detailed LiveUpdate logs
See “About detailed LiveUpdate logs” on page 169.
About basic LiveUpdate logs

The basic logs provide a brief overview of the definition content status. These logs are enabled
by default and their location is non configurable.
The following table lists the definition type and its default log location:
Definition type Log location
Antivirus On UNIX platforms:
/opt/SYMCScan/bin/definitions/Stargate/logs/
Symantec URL On UNIX platforms:
/opt/SYMCScan/bin/definitions/URLListLookup/
DefDownloads/SYM/Logs/lux.log
CAIC URL On UNIX platforms:
/opt/SYMCScan/bin/definitions/URLListLookup/
DefDownloads/CAIC/Logs/lux.log
Rolling back URL definitions
Definition type Log location
URL Reputation On UNIX platforms:
/opt/SYMCScan/bin/definitions/URLRepLookup/
URLReputationList/DefDownloads/URLREP/Logs/lux.log
About detailed LiveUpdate logs

The detailed logs provide a detailed definition content status. These logs are optional and
disabled by default. Unlike the basic logs, the location of the detailed logs is configurable.
Enabling detailed logging of LiveUpdate can be done on Unix platforms. The configuration
files required to enable detailed LiveUpdate logging are present in the
Symantec_Protection_Engine_Tools_8.1.0.XX_IN.zip file
About enabling detailed LiveUpdate logging on Unix

To enable detailed LiveUpdate logging on Unix
1 Copy the lux.logging.conf file from the
Symantec_Protection_Engine_Tools_8.1.0.XX_IN.zip\Tools\LiveUpdate_Log_Config\
folder into the /etc/symantec directory
2 Edit the following values in the lux.logging.conf file:
■ logger.enabled=true
■ logger.level=info
■ logger.sink=file
■ logger.sink.file.filePath= user defined file path
Note: Ensure that the user defined file path exists.

Symantec Protection Engine automatically uses the most current set of definitions for scanning.
However, if a problem is discovered with the current definitions set, you can revert (rollback)
to the previous set of URL definitions. You can rollback definitions regardless of the method
that is used to obtain the definitions. Symantec Protection Engine supports only one rollback
of URL definitions sets.
Symantec Protection Engine installs with the most current definitions that are available at the
time the product is released. After you install the product and activate the licenses, you need
to perform a definition update to obtain the most current definitions. If you discover a problem
with the new URL definitions, you can revert to the URL definitions that were shipped with the
product.
The LiveUpdate Content page provides information about whether your definition rollback is
successful. If the rollback operation fails, it might be because a previous definition set does
not exist or because you do not have a valid content license.
To rollback definitions
3 In the content area under Definition Details, select the definitions set that you want to
rollback.
4 In the sidebar under Tasks, click Rollback <definition feature name> Definitions.
See “About definition updates” on page 163.
About on demand rollback

Symantec Protection Engine now supports on demand rollback of the definitions. Create a file
in the Symantec Protection Engine installation directory. The file name must be
RollBackNowFlag. Symantec Protection Engine periodically checks for this file and performs
a rollback when this file is present. Symantec Protection Engine automatically removes the
file once the rollback is triggered.
Points to remember when you configure on demand rollback:
■ The first line of the RollBackNowFlag file should contain the definition to be rolled back.
■ Only one definition roll back is allowed at a time.
■ Allowed values for the first line of the RollBackNowFlag file are SYMURL, URLREP, and
CAICURL.
Note: All the above values are case sensitive.
■ If any definition update is in progress, then rollback is not allowed and the rollback failed
warning is logged.
■ If any invalid values are mentioned in the RollBackNowFlag file or the file is empty, an error
message is logged indicating Invalid rollback request.
Chapter 10
Working with the Core
server only mode
■ About the Core server only mode
■ Inactive XPaths
■ Configuring ICAP options in the Core server only mode
■ Configuring the antivirus scan policy in the Core server only mode
■ Configuring APK Reputation in the Core server only mode
■ Configuring the quarantine server in the Core server only mode
■ Configuring file name filtering in the Core server only mode
■ Configuring file size filtering in the Core server only mode
■ Configuring true type file filtering in the Core server only mode
■ Configuring Symantec Protection Engine to handle encrypted container files in the Core
server only mode
■ Customizing notifications in the Core server only mode
■ Enabling Symantec Insight™ in the Core server only mode
■ Configuring the scanning aggression level in the Core server only mode
■ Excluding files from scanning based on file size in the Core server only mode
■ Monitoring scanning requests in the Core server only mode
■ Enabling resource consumption logging in the Core server only mode

Working with the Core server only mode 172
About the Core server only mode
■ Specifying the maximum file or message size to scan in the Core server only mode
■ Setting container file limits in the Core server only mode
■ Enabling URL filtering in the Core server only mode
■ Enabling URL Reputation in the Core server only mode
■ Denying access to URLs in URL categories in the Core server only mode
■ Customizing the access denied message in the Core server only mode
■ Specifying the log bind address in the Core server only mode
■ Specifying the local logging level in the Core server only mode
■ Changing the directory where log files are located in the Core server only mode
■ Changing the number of log file to be maintained in the Core server only mode
■ Enabling statistics reporting in the Core server only mode
■ Configuring logging to the Linux Syslog in the Core server only mode
■ Activating SMTP alerts in the Core server only mode
■ Activating SNMP alerts in the Core server only mode
■ Configuring outbreak alerts in the Core server only mode
■ Configuring LiveUpdate to occur automatically in the Core server only mode
■ Performing LiveUpdate on demand in the Core server only mode
■ About editing the LiveUpdate XML file

The Symantec Protection Engine user interface requires Java to be installed prior to installing
Symantec Protection Engine. From version 7.5.0 onwards, you have the option to install
Symantec Protection Engine in the Core server only mode that allows you to administer and
configure Symantec Protection Engine using the command-line interface. Since the Core
server only mode uses the command-line interface to configure the options, it is independent
of Java.
Table 10-1 lists some features that have been adapted to suit the Core server only mode.
Table 10-1 Adapted features for the Core server only mode
Feature Description
Configuration settings The XMLModifier utility must be used to configure options in Symantec Protection
Engine while operating in the Core server only mode.
See “About XMLModifier tool” on page 173.
Detailed reporting Prior to version 7.5.0, reports and logs were generated using the user interface
only. Now, you can choose to use the LogConverter utility to generate detailed
reports while operating in the Core server only mode. This utility converts the
Symantec Protection Engine log files into a readable format. It also converts
input log file(s) into text, HTML (-h switch) and CSV (-c switch) formats. The
default output format is text.
On Linux, ensure that LogConverter utility is executed from the default installation
directory, /opt/SYMSCan/bin. If you have stored it in another location, set the
LD_LIBRARY_PATH environment variable to the directory that contains this
utility.
For example, LD_LIBRARY_PATH=/opt/SYMCScan1/bin (non-default

location)
Definition updates In the Core server only mode, you can either update definitions on demand or
schedule updates automatically at a specified time interval.
See “Configuring LiveUpdate to occur automatically in the Core server only

mode” on page 219.
See “Performing LiveUpdate on demand in the Core server only mode ”

on page 221.
About XMLModifier tool

The XML files that you can modify are as follows:
configuration.xml Contains the protocol settings, resource settings, logging

setting, quarantine server setting, and proxy server settings.
filtering.xml Contains the settings for URL filtering, container limits and
container handling, and file attribute and email attribute
handling.
liveupdate.xml Contains the LiveUpdate options.
policy.xml Contains an antivirus scan setting, Insight settings, APK

reputation settings, and access-denied and notification
messages.
Following is the XML modifier command-line tool for Symantec Protection Engine:
■ xmlmodifier
A tool used on Linux platforms to modify the XML files.
Always run the XMLModifier utility from the installation directory. After you change the settings
by using the XMLModifier utility, you must stop and start the Symantec Protection Engine
service for the changes to take effect.
XMLModifier options
Use the XML modifier command-line tool of Symantec Protection Engine to modify the XML
files.
Note: For boolean values, allowed and recommended values are true or false.
Table 10-2 provides the option commands that you can use with the XML modifier command-line
tool of Symantec Protection Engine.
Table 10-2 Option commands
Option name Description
Remove If the XPath specifies an attribute, then that attribute is set to an empty string.
If the XPath specifies a group, then the items within that group are removed. If you want to
populate a list within the XML document with new items, first remove the whole list.
The command is as follows:
For Linux: xmlmodifier -r <XPath> <XMLfile>
where <XPath> is the required XPath and <XMLfile> is the XML file name.
Bulk copy Use the bulk copy command to insert a list of items that are stored at the XPath. Each item is
separated as a new line. The bulk copy command appends the bulk file items to the XPath
location. Only use this command to insert lists. Each entry must be on a separate line.
For Linux: xmlmodifier -b <XPath> bulkfile <XMLfile>
Table 10-2 Option commands (continued)
Node value This command sets a node value.

For Linux: xmlmodifier -s <XPath> newvalue <XMLfile>
For example,
xmlmodifier -s //filtering/URLFilter/@enabled <value> filtering.xml
Encrypt the password This command encrypts the specified password using the AES 256-bit encryption method and
(using the AES stores it in the specified XPath location. However, only certain parameters support this encryption
256-bit encryption method in Symantec Protection Engine.
method) and store in
Table 10-3 lists the parameters that are encrypted using this method.
specified XPath
location The command is as follows:
For Linux: xmlmodifier -k <XPath> <password> <SPE install directory>

<XMLfile>
where <XPath> is the required XPath, <password> is your password, <SPE install directory>
is the path to the installation directory, and <XMLfile> is the XML file name.
Note: Make sure the path to the Symantec Protection Engine installation directory does not
end with /.
Query This command returns the value of the node in the XML document with no newline.
For Linux: xmlmodifier -q <XPath> <XMLfile>
Query list This command returns the list of values of the node in the XML document with a newline. The
l is lowercase, as in list.
For Linux: xmlmodifier -l <Xpath> <XMLfile>
Add local URL This command adds local URL categories.

categories
For Linux: xmlmodifier -a <urlcategory1|urlcategory2|..>
where <urlcategory> is the local URL category.

Table 10-2 Option commands (continued)
Delete local URL This command deletes local URL categories.

categories
For Linux: xmlmodifier -d <urlcategory1|urlcategory2|..>
where <urlcategory> is the local URL category.
Add URL(s) to local This command adds URL(s) to local URL category.
URL category
For Linux: xmlmodifier -u <urlcategory|url1|url2|..>
where <url> is the url to be added and <urlcategory> is the local URL category.
Delete URL(s) from This command deletes URL(s) from the local URL category.
local URL category
For Linux: xmlmodifier -v <urlcategory|url1|url2|..>
where <url> is the url to be deleted and <urlcategory> is the local URL category.
Add URL(s) to URL This command adds URL(s) to URL Override List
Override List
For Linux: xmlmodifier -o <url1|url2|..>
where <url> is the url to be added.
Delete URL(s) from This command deletes the URL(s) from the URL Override List.
URL Override List
For Linux: xmlmodifier -i <url1|url2|..>
where <url> is the url to be deleted.
Table 10-3 Parameters that require password encryption using the AES 256-bit method
Parameter name XPath Configuration file

name
Proxy Server /configuration/ProxyServerSettings/Password/@value configuration.xml

Password
LiveUpdate Server /liveupdate/UpdateServer/Password/@value liveupdate.xml

Password
Inactive XPaths
Note: The XMLModifier utility has a dependency on the libxml2 library. If this library is not
found, the utility may throw an error. The libxml2 library is already present in the installation
directory. However, if the XMLModifier utility is still unable to find the library on UNIX machines,
you can add the path, /opt/SYMCScan/bin, to the LD_LIBRARY_PATH environment variable.
Accessing the XML modifier command-line tool

To edit the XML files, use the XML modifier command-line tool. The XML modifier command-line
tool is included in the Symantec Protection Engine.zip file. This tool is automatically installed
when you install the Symantec Protection Engine.
To access the XML modifier command-line tool
◆ At the command prompt, type the following:
For Linux
xmlmodifier
See “ XMLModifier options” on page 174.
See “About configuration options” on page 258.
Inactive XPaths
Some configurations of previous release are no more valid in Symantec Protection Engine
8.1. However, XML files still contain those configurations. You cannot configure these values
using XMLModifier tool. If you run the xmlmodifier command with such inactive XPath, you
get the following error:
XPath is not active in Symantec Protection Engine 8.1 and later versions.
Symantec Protection Engine does not support inactive XPaths.
Ensure that you always use the complete XPath in the command. If you use incomplete XPath
by skipping a child node with two slashes (//), xmlmodifier does not show error even if XPath
is inactive.
For example, you get the error for the following inactive XPath:
/policies/ThreatPolicies/AntiVirusScanning/@enabled
You will not get the error for the same XPath if you skip the child node (ThreatPolicies) with
two slashes (//):
/policies//AntiVirusScanning/@enabled
Inactive XPaths
Following is the list of those inactive XPaths.
Configuration.xml
Inactive XPaths in the configuration.xml file:
■ //configuration/ProtocolSettings/ICAP/EnableSubCategoryDescriptionResp/@value
■ //configuration/ProtocolSettings/ICAP/EnableContainerEngineNameResp/@value
■ //configuration/Logging/Outbreak/Malformed Container/@enabled
■ //configuration/Logging/Outbreak/Malformed Container/@interval
■ //configuration/Logging/Outbreak/Malformed Container/@threshold
■ //configuration/Logging/Outbreak/MailPolicy/@enabled
■ //configuration/Logging/Outbreak/Mailpolicy/@interval
■ //configuration/Logging/Outbreak/Mailpolicy/@threshold
■ //configuration/Logging/Outbreak/InsightDetected/@enabled
■ //configuration/Logging/Outbreak /InsightDetected/@interval
■ //configuration/ Logging/Outbreak/InsightDetected/@threshold
Policy.xml
Inactive XPaths in the policy.xml file:
■ //policies/ThreatPolicies/AntiVirusScanning/@enabled
■ //policies/ThreatPolicies/AntiVirusScanning/BloodhoundLevel/@value
■ //policies/ThreatPolicies/AntiVirusScanning/SecurityRiskScanning/@enabled
■ //policies/ThreatPolicies/AntiVirusScanning/AdvancedHeuristicsScanning/@enabled
■ //policies/ThreatPolicies/AntiVirusScanning/AdvancedMachineLearning/@enabled
■ //policies/ThreatPolicies/AntiVirusScanning/DefaultFileExtension/@value
■ //policies/ThreatPolicies/InsightScanning/InsightCSCAT/@value
■ //policies/ThreatPolicies/InsightScanning/InsightNASCAT/@value
■ //policies/ThreatPolicies/InsightScanning/InsightPolicy/KeepConnectionOpen/@value
■ //policies/ThreatPolicies/InsightScanning/InsightPolicy/BackendNetworkTimeout/@value
■ //policies/ThreatPolicies/InsightScanning/InsightPolicy/ExonerationNetworkTimeout/@value
■ //policies/ThreatPolicies/InsightScanning/InsightPolicy/ConvictionNetworkTimeout/@value
■ //policies/ThreatPolicies/InsightScanning/InsightPolicy/SHA256ExclusionList/items/
Inactive XPaths
■ //policies/ThreatPolicies/InsightScanning/InsightPolicy/SourceIPExclusionList/items/
■ //policies/ThreatPolicies/InsightScanning/InsightPolicy/SourceURLExclusionList/items/
■ //policies/ThreatPolicies/InsightScanning/InsightServerDetails/TrustedCAFilePath/@value
■ //policies/ThreatPolicies/APKReputation/APKReputationPolicy/ThresholdSecurityRating/@value
■ //policies/ThreatPolicies/APKReputation/PartnerKey/@value
■ //policies/ThreatPolicies/APKReputation/VerifyPeer/@value
■ //policies/ThreatPolicies/APKReputation/QueryTimeOut/@value
■ //policies/ThreatPolicies/APKReputation/ScanTimeOut/@value
■ //policies/ThreatPolicies/APKReputation/FileSizeExclusionThreshold/@value
■ //policies/ThreatPolicies/APKReputation/CacheSettings/ThresholdCacheEntries/@value
■ //policies/ThreatPolicies/APKReputation/CacheSettings/CacheTimeToLive/@value
■ //policies/ThreatPolicies/APKReputation/CacheSettings/CacheDump/@enabled
■ //policies/ThreatPolicies/APKReputation/CacheSettings/CacheDump/@frequency
■ //policies/ThreatPolicies/APKReputation/ThreadPool/MinThreads/@value
■ //policies/ThreatPolicies/APKReputation/ThreadPool/MaxThreads/@value
■ //policies/ThreatPolicies/APKReputation/ThreadPool/ThresholdQueuedAPKQueries/@value
■ //policies/ThreatPolicies/Actions/InsightActionPolicy/@value
■ //policies/ThreatPolicies/Actions/APKReputationActionPolicy/@value
■ //policies/ThreatPolicies/Notifications/FileRepairedNotificationText/@value
■ //policies/ThreatPolicies/Notifications/APKFileDeletedNotificationText/@value
Filtering.xml
Inactive XPaths in the filtering.xml file:
■ //filtering/Container/DecEngines/@value
■ //filtering/Container/MaxInMemoryFileSize/@value
■ //filtering/Container/MaxExtractTime/@actionpolicy
■ //filtering/Container/MaxExtractTime/@value
■ //filtering/Container/DecFileSize/@value
■ //filtering/Container/EnableMSOfficeCRD/@value
■ //filtering/Container/UpdateMailBody/@value
Inactive XPaths
■ //filtering/Container/EncryptedContainersHandling/SuppressOfficeFormatEncryption/@value
■ //filtering/Container/MalformedContainersHandling/@enabled
■ //filtering/Container/MalformedContainersHandling/Actions/MalformedContainersActionPolicy/@value
■ //filtering/Container/MalformedContainersHandling/Actions/ContinueProcessingInMalformedBlockPolicy
/@value
■ //filtering/Container/MalformedContainersHandling/Actions/Quarantine/@value
■ //filtering/Container/MalformedContainersHandling/IgnoreExtensionMismatchMalformity/@value
■ //filtering/Container/MalformedContainersHandling/IgnoreStructureMismatchMalformity/@value
■ //filtering/Container/MalformedContainersHandling/HandleExtractionFailureAsMalformity/@value
■ //filtering/Container/MalformedContainersHandling/ NotificationText/@value
■ //filtering/Container/MalformedContainersHandling/ ScanMalformedContainersDepth/@value
■ //filtering/Container/DenyPartialMIME/@actionpolicy
■ //filtering/Container/EnableEnhancedContainerHandling/@value
■ //filtering/Container/Options/ExtractNativeOLEStreamsOnly/@value
■ //filtering/Container/Options/NonHQXThreshold/@value
■ //filtering/Container/Options/NonMIMEThreshold/@value
■ //filtering/EmailAttribute/DenySubjects/@value
■ //filtering/EmailAttribute/DenySubjectsList/items
■ //filtering/EmailAttribute/DenyEmptySubjects/@value
■ //filtering/EmailAttribute/DenyBlackLists/@value
■ //filtering/EmailAttribute/BlackListAddresses/items
Liveupdate.xml
Inactive XPaths in the liveupdate.xml file:
■ //liveupdate/Schedule/Retries/@value
■ //liveupdate/RapidRelease/Schedule/@enabled
■ //liveupdate/RapidRelease/Schedule/Interval/@value
■ //liveupdate/RapidRelease/FTPSettings/URL/@value
■ //liveupdate/RapidRelease/FTPSettings/UserName/@value
■ //liveupdate/RapidRelease/FTPSettings/Password/@value
Configuring ICAP options in the Core server only mode
Configuring ICAP options in the Core server only mode

If you select ICAP, you must configure certain options specific to ICAP. You must also configure
the ICAP client to work with Symantec Protection Engine. For more information, see the ICAP
client documentation.
See Table 10-4 on page 181. describes the configuration options for ICAP.
Table 10-4 Protocol-specific options for ICAP
Option Description
Bind address Symantec Protection Engine detects all of the available IP addresses that are
installed on the host. By default, Symantec Protection Engine accepts scanning
requests on (binds to) all of the scanning IP addresses that it detects. You can
configure up to 64 IP addresses as scanning IP addresses.
You can specify whether you want Symantec Protection Engine to bind to all
of the IP addresses that it detects, or you can restrict access to one or more
interfaces. If you do not specify at least one IP address, Symantec Protection
Engine binds to all of the scanning IP addresses that it detects.
If Symantec Protection Engine fails to bind to any of the selected IP addresses,

an event is written to the log as a critical error. Even if Symantec Protection
Engine is unable to bind to any IP address, you can access the console.
However, scanning functionality is unavailable.

Note: You can use 127.0.0.1 (the loopback interface) to let only the clients that
are running on the same computer connect to Symantec Protection Engine.
Port number The port number must be exclusive to Symantec Protection Engine. You must
use the same port number for all of the scanning IP addresses that you want
to bind to Symantec Protection Engine.
The default port number is 1344. If you change the port number, use a number
that is equal to or greater than 1024. No other program or service should use
this port number.
To configure ICAP protocol

1 Go to the Symantec Protection Engine installation directory.
2 Set the ICAP protocol.
Command:
xmlmodifier -s //configuration/ProtocolSettings/Protocol/@value ICAP
configuration.xml
Allowed values:
Configuring the antivirus scan policy in the Core server only mode
■ ICAP
Enables the ICAP protocol.
Default value: ICAP
3 Specify the Bind address.
Command:
xmlmodifier -s //configuration/ProtocolSettings/ICAP/BindAddress/@value
<value> configuration.xml
Allowed values: Scanning IP addresses that you want to bind to Symantec Protection
Engine.
Default value: Symantec Protection Engine binds to all interfaces.
4 Specify the port number that the client application uses to pass files to Symantec Protection
Engine for scanning.
Command:
xmlmodifier -s //configuration/ProtocolSettings/ICAP/Port/@value <value>
configuration.xml
Allowed values: Port number that is equal to or greater than 1024. No other program or
service should use this port number. You must use the same port number for every
scanning IP addresses that you want to bind to Symantec Protection Engine.
Default value: 1344
Configuring the antivirus scan policy in the Core

server only mode
You can configure Symantec Protection Engine to do one of the following when an infected
file is found:
To configure the antivirus scan policy
2 Configure Symantec Protection Engine to do one of the following when an infected file is
found.
Command:
xmlmodifier -s //policies/ThreatPolicies/Actions/AVActionPolicy/@value
<value> policy.xml
Configuring APK Reputation in the Core server only mode
Allowed values:
■ 0 - Scan only
■ 1 - Scan and repair
■ 2 - Scan and repair or delete
■ 3 - Scan and delete
Note: Symantec Protection Engine version 8.1 does not support repair of infected files.
Default value: 2 - Scan and repair or delete

Note: You must select Scan and repair or delete if you plan to quarantine the infected files that
cannot be repaired. See “About quarantining files in Symantec Protection Engine ” on page 85.
Configuring APK Reputation in the Core server only

mode
APK Reputation feature is enabled by default. You can configure the APK Reputation settings
in the Core server only mode.
To configure APK Reputation
2 Enable APK Reputation.
Command:
xmlmodifier -s //policies/ThreatPolicies/APKReputation/@enabled true
policy.xml
Allowed values:
■ true
APK Reputation feature is enabled
■ false
APK Reputation feature is disabled
Default value: true
See “About Android Application (APK) Reputation ” on page 97.
Configuring the quarantine server in the Core server only mode
Configuring the quarantine server in the Core server

only mode
If you plan to quarantine the files that might contain threats or malicious code, configure
Symantec Protection Engine to quarantine files. Also provide the host name or IP address for
the computer on which Symantec Central Quarantine Server is installed.
To configure quarantine server in Symantec Protection Engine
2 Enable the quarantine settings.
Command:
xmlmodifier -s //configuration/QuarantineServerSettings/@enabled true
configuration.xml
Allowed values:
■ false
Disables quarantine.
■ true
Enables quarantine.
Default value: false
3 Specify the quarantine server name.
Command:
xmlmodifier -s //configuration/QuarantineServerSettings/ServerName/@value
<server name> configuration.xml
Allowed values:
■ Hostname or IP address for the computer on which Symantec Central Quarantine
Server is installed.
4 Specify the quarantine server port.

xmlmodifier -s //configuration/QuarantineServerSettings/ServerPort/@value
For example,
xmlmodifier -s //configuration/QuarantineServerSettings/ServerPort/@value
4200 configuration.xml
Allowed values:
Configuring file name filtering in the Core server only mode
■ TCP/IP port number that Symantec Protection Engine uses to pass files to Symantec
Central Quarantine.

Configuring file name filtering in the Core server only

mode
If your client uses the ICAP protocol, you can filter files by file name to protect your network
during an outbreak. For example, if you know the file name of a new email borne threat, you
can use this information to block infected email messages.
Block access to the Blocks access to any top level file that matches the file name.
file or the message
file name, access to the entire container or message is blocked.
Delete the file or Deletes any file that matches the file name and logs the violation.
the attachment
match the file name. Attachments that do not match the file name are not deleted
and are delivered with the message.
Symantec Protection Engine deletes any embedded files that match the specified
file name within a container file that contains multiple files. The embedded files that
do not match the specified file name are not deleted. Deleted files are replaced with
a replacement file, DELETED<N>.TXT, which indicates the reason that the file was
deleted.
Use wildcard characters if you are unsure of an exact file name or to block all file attachments
with a specific extension. For example, you can use the wildcard *virus* to block all attachments
with the word virus in the file name.
Note: If your client uses the antivirus-only application programming interface (API), file name
violations are reported to the client in the server's response as email policy violations. If you
Configuring file name filtering in the Core server only mode
To configure file name filtering in Symantec Protection Engine

2 Enable filtering by file name.
Command:
xmlmodifier -s //filtering/FileAttribute/FileNamesEnabled/@value true
filtering.xml
Allowed values:
■ true
Enable file name filtering.
■ false
Disable file name filtering.
Default value: true
3 Create a text file and type the file names that you want to filter. Type one entry per line.
Search strings are not case-sensitive.
Command:
xmlmodifier -b //filtering/FileAttribute/DenyFileNames/items <file name>
filtering.xml
For example, xmlmodifier -b //filtering/FileAttribute/DenyFileNames/items

sample.txt filtering.xml
Allowed values:
A text file with the list of the file names that you want to filter.
4 Specify an action to block or delete the file.
Select one of the options to specify how you want Symantec Protection Engine to handle
the messages that contain an attachment with that file name:
Command:
xmlmodifier -s //filtering/FileAttribute/DeleteFileNames/@value <value>
filtering.xml
Allowed values:
■ true
Delete the file or attachment.
■ false
Block access to the file or the message.
Configuring file size filtering in the Core server only mode

Configuring file size filtering in the Core server only

mode
If your client uses the ICAP protocol, you can filter files based on their sizes. For example,
suppose you know the exact size of new email borne threat. You can use this information to
block any email messages that match this size.
Block access to the Blocks access to any top level file that matches the file size.
file or the message
specified file size, Symantec Protection Engine blocks the entire container or
message.
Delete the file or Deletes any files that match the specified file size and logs the violation.
attachment
match a specified file size. Attachments that do not match the specified file size are
delivered with the message.
Symantec Protection Engine deletes any embedded files within a container file that
contains multiple files that match the specified file size. The embedded files that do
not match the specified file size are not deleted. Deleted files are replaced with a
replacement file, DELETED<N>.TXT (where N denotes the sequence number),
which indicates the reason that the file was deleted.
To configure file size filtering in Symantec Protection Engine

2 Enable filtering by file size.
Command:
xmlmodifier -s //filtering/FileAttribute/FileSizesEnabled/@value true
filtering.xml
Allowed values:
■ true
Configuring true type file filtering in the Core server only mode
Enable file size filtering.

■ false
Disable file size filtering.
Default value: true
3 Create a text file and type the file sizes that you want to filter. Type one entry per line.
Command:
xmlmodifier -b //filtering/FileAttribute/DenyFileSizes/items <file name>
filtering.xml
For example, xmlmodifier -b //filtering/FileAttribute/DenyFileSizes/items

sample.txt filtering.xml
Allowed values:
A text file with the list of the file sizes that you want to filter.
4 Specify an action to block or delete the file.
Specify how you want Symantec Protection Engine to handle the messages that contain
an attachment with that file size:
Command:
xmlmodifier -s //filtering/FileAttribute/DeleteFileSizes/@value true
filtering.xml
Allowed values:
■ true
Delete the file or attachment.
■ false
Block access to the file or the message
Configuring true type file filtering in the Core server

only mode
You can configure Symantec Protection Engine to handle the file based on its type. It blocks
access to any top level file that matches the file type. If a container file or email message
Configuring true type file filtering in the Core server only mode
contains a file or attachment that matches the file type, access to the entire container or
message is blocked.
You can use wildcard characters for the files based on their categories to block the files. For
example, you can use the wildcard image/* to block all files that fall under the image category.
Note: Configuration of the file true type filtering is supported only on ICAP protocol.
To configure file type filtering in Symantec Protection Engine

2 Enable filtering by file type.
Command:
xmlmodifier -s //filtering/FileAttribute/FileTypeFilteringEnabled/@value
true filtering.xml
Allowed values:
■ true
Enables true type file filtering in Symantec Protection Engine.
■ false
Disables true type file filtering in Symantec Protection Engine.
3 Create a text file and type the file types that you want to filter. Type one entry per line.
Command:
xmlmodifier -b //filtering/FileAttribute/DenyFileTypes/items <file name>
filtering.xml
For example, xmlmodifier -b //filtering/FileAttribute/DenyFileTypes/items

"audio/mp3" filtering.xml
Allowed values:
A text file with the list of the file types that you want to filter.
Configuring Symantec Protection Engine to handle encrypted container files in the Core server only mode
Configuring Symantec Protection Engine to handle

encrypted container files in the Core server only mode
Encrypted files are unscannable in Symantec Protection Engine. If you want to protect your
network from threats of encrypted container files, configure Symantec Protection Engine to
handle unscannable encrypted container files.
To configure file type filtering in Symantec Protection Engine
2 Enable encrypted container file handling.
Command:
xmlmodifier -s //filtering/Container/EncryptedContainersHandling/@enabled
true filtering.xml
Allowed values:
■ true
Enables options to handle encrypted container files.
■ false
Disables options to handle encrypted container files.
Default value: true
3 Specify how you want Symantec Protection Engine to handle encrypted container files.
Command:
xmlmodifier -s //filtering/Container/EncryptedContainersHandling/Actions/
EncryptedContainersActionPolicy/@value <value> filtering.xml
Allowed values:
■ 0
Generates a log entry. Symantec Protection Engine only logs instances of encrypted
container files.
■ 1
Blocks the encrypted container files and generates a log entry.
■ 2
Deletes the encrypted container files and generates a log entry.
Default value: 0
4 Continue scanning of the blocked encrypted container file.
Command:
Customizing notifications in the Core server only mode
xmlmodifier -s //filtering/Container/EncryptedContainersHandling/Actions/
ContinueProcessingInEncryptedBlockPolicy/@value true filtering.xml
Allowed values:
■ true
Continues the scanning of the encrypted file that is blocked.
■ false
Stops the scanning of the encrypted file that is blocked.
5 Quarantine the encrypted files.
Command:
xmlmodifier -s //filtering/Container/EncryptedContainersHandling/
Actions/Quarantine/@value true filtering.xml
Allowed values:
■ true
Quarantines the encrypted files.
■ false
Does not quarantine the encrypted files.
Customizing notifications in the Core server only

mode
You can configure Symantec Protection Engine to customize messages to users to notify them
when a file is infected, denied access to, encrypted, or deleted. You can add the text to the
body of a replacement file for a deleted attachment.
Symantec Protection Engine attaches a text file to the email message in the place of each
attachment that is deleted. The text file that is inserted is called DELETED<N>.TXT, where N
is a sequence number. For example, if two attachments are deleted, the replacement files are
called DELETED0.TXT and DELETED1.TXT.
If the attachment is container file that contains an encrypted file, Symantec Protection Engine
inserts a text file in place of the encrypted file in the container.
When you use ICAP, Symantec Protection Engine displays an HTML text message to the user
when a requested file is blocked. Access to a file is blocked when the file contains threat.
Table 10-5 describes the types of notification messages that you can customize.
Table 10-5 User notification messages
Type of notification Default text
Deleted file File: ${FILE_NAME} was infected with ${THREAT_NAME} (${THREAT_ID}).

Infected file File: ${FILE_NAME} was infected with ${THREAT_NAME} (${THREAT_ID}).

File ${QUARANTINED}. File is still infected
Total threat found This email message was infected. ${TOTAL_THREATS} number of threats
were found.
Denied file size The file attached to this email was removed because the file size is not
Denied file names The file attached to this email was removed because the file name is not
Encrypted file The encrypted container attached to this email was removed. File
Web browser The content you just requested contains ${THREAT_NAME} and was
blocked by the Symantec Protection Engine based on local administrator
settings. Contact your local administrator for further information.
Table 10-6 lists the variables that you can use to customize your notifications.
Table 10-6 Notification variables
${FILE_NAME} The name of the infected file.
${FILE_SIZE} The size of the file that violates the maximum file size threshold.
See “Configuring file size filtering in Symantec Protection Engine”

on page 89.
${THREAT_NAME} The name of the threat.
${THREAT_ID} The threat identification number.

Table 10-6 Notification variables (continued)
${QUARANTINED} Indicates whether a file was quarantined.

${TOTAL_THREATS} The total number of risks that are detected in the MIME message.
${MATCHING_ The file name pattern that triggered the violation.

FILENAME_ENTRY}
See “Configuring file name filtering in Symantec Protection Engine”
on page 87.
To customize user notifications in Symantec Protection Engine

2 Enable the user notifications.
Command:
xmlmodifier -s
//policies/ThreatPolicies/Notifications/NotificationTextAtTop/@value true
policy.xml
Allowed values:
■ true
Adds notifications at the top of the message.
■ false
Does not add notifications at the top of the message.
3 Customize the notification for access denied message.
Command:
xmlmodifier -s
//policies/ThreatPolicies/Notifications/AccessDeniedMessage/@value <text>
policy.xml
Default value: The content you just requested contains ${THREAT_NAME} and was
blocked by the Symantec Protection Engine based on local administrator settings. Contact
your local administrator for further information.
4 Customize the notification for file deleted notification.

Command:
xmlmodifier -s
//policies/ThreatPolicies/Notifications/FileDeletedNotificationText/@value
<text> policy.xml
Default value: File: ${FILE_NAME} was infected with ${THREAT_NAME} (${THREAT_ID}).

5 Customize the notification for file infected message.
Command:
xmlmodifier -s
//policies/ThreatPolicies/Notifications/FileInfectedNotificationText/@value
<text> policy.xml
Default value: File: ${FILE_NAME} was infected with ${THREAT_NAME} (${THREAT_ID}).

File ${QUARANTINED}. File is still infected.
6 Customize the notification for the total number of viruses found message.
Command:
xmlmodifier -s
//policies/ThreatPolicies/Notifications/TotalVirusFoundNotificationText/@value
<text> policy.xml
Default value: This email message was infected. ${TOTAL_THREATS} number of viruses
were found.
7 Customize the notification for the denied file size message.
Command:
xmlmodifier -s
//filtering/FileAttribute/DenyFileSizesNotificationText/@value <text>
filtering.xml
Default value: The file attached to this email was removed because the file size is not
Enabling Symantec Insight™ in the Core server only mode
8 Customize the notification for the denied file names message.

Command:
xmlmodifier -s
//filtering/FileAttribute/DenyFileNamesNotificationText/@value <text>
filtering.xml
Default value: The file attached to this email was removed because the file name is not
9 Customize the notification for the denied encrypted container message.
Command:
xmlmodifier -s
//filtering/Container/EncryptedContainersHandling/NotificationText/@value
<text> filtering.xml
Default value: The encrypted container attached to this email was removed. File
Enabling Symantec Insight™ in the Core server only

mode
Insight scanning is enabled by default. You must have a valid Insight scanning license to scan
for threats and to update Insight feeds.
Symantec Protection Engine also gives you an option to quarantine threats. You can quarantine
threats if you have configured the Quarantine server in Symantec Protection Engine.
To enable Symantec Insight™ in Symantec Protection Engine
2 Enable reputation-based Insight protection.
Command:
xmlmodifier -s //policies/ThreatPolicies/InsightScanning/@enabled true
policy.xml
Allowed values:
■ true
Enables the Symantec Insight feature.
■ false
Configuring the scanning aggression level in the Core server only mode
Disables the Symantec Insight feature.

Default value: true
Configuring the scanning aggression level in the Core

server only mode
The scanning aggression level defines the detection aggression level for threat detection
technologies. Higher the aggression level, more are the number of files that are detected as
threats. However, there is a possibility of false positives.
Following are the scanning aggression levels:
■ Known Bad
■ Low
■ Medium
■ High
To configuring the scanning aggression level
2 Specify the scanning aggression level.
Command:
xmlmodifier -s
//policies/ThreatPolicies/InsightScanning/InsightPolicy/AggressionLevel/@value
<value> policy.xml
Allowed values:
■ 0
Known Bad - Potential threat detection is very low, which detects only the files that
are known to be bad.
■ 1
Low - Potential threat detection is low.
■ 2
Medium - Potential threat detection is higher than the low aggression level. By default,
medium level is selected in Symantec Protection Engine.
■ 3
Excluding files from scanning based on file size in the Core server only mode
High - Potential threat detection is the highest. However, there could be false positives
detected too.
Default value: 2
Excluding files from scanning based on file size in the

Core server only mode
You can enter a file size criteria to exclude files from scanning by Symantec threat detection
technologies.
To exclude files based on file size
2 Enable exclusion policy.
Command:
xmlmodifier -s //policies/ThreatPolicies/ExtensionPolicy/@value <value>
policy.xml
Allowed values:
■ 0 (disable)
■ 2 (enable)
Note: When you enable the exclusion policy, it gets enabled for file size, extension, and
true-type. Review the default values for the files getting excluded for extension and
true-type.
3 Specify the file size (in bytes), above which the files are excluded from scanning.
Command:
xmlmodifier -s //policies/ThreatPolicies/InsightScanning/InsightPolicy/
FileSizeExclusionThreshold/@value <value> policy.xml
Allowed values:
■ Type the file size in bytes.
■ Minimum value is 1 and maximum value is 2147000000.
Monitoring scanning requests in the Core server only mode
Default value: 134217728 (bytes)

Monitoring scanning requests in the Core server only

mode
Symantec Protection Engine provides a feature that lets you define the expected scanning
load for specific time periods. When the Symantec Protection Engine scanning load decreases
significantly, it might indicate a performance issue. You can use this feature to detect possible
problems before they become critical. If Symantec Protection Engine detects fewer scan
requests than the expected load, it logs the event to the designated logging destinations and
alert destinations. The event is logged at the Warning level.
Symantec Protection Engine averages the number of scan requests for one minute. If the
average number of requests for that minute meets or exceeds the threshold, no alert is sent.
If the average number of scan requests for that minute is below the threshold, Symantec
Protection Engine sends an alert.
For example, if you set a threshold of 20 requests per second for Wednesday from 1:00 A.M.
to 2:00 A.M., Symantec Protection Engine does not generate an alert for any minute in which
it receives 1,200 or more requests (20 requests times 60 seconds). Symantec Protection
Engine only generates an alert for any minute in which it receives fewer than 1,200 requests.
You can control how scanning requests are monitored by editing the Configuration.xml file.
Add an entry in the Configuration.xml file in the following format:
<Weekday>
<Schedule enable="true" start="<start time in 24-hour format>"
end="end time in 24-hour format" threshold="<requests per second>"/>
</Weekday>
You can control how scanning requests are monitored in the following ways:
■ Enable or disable the scan request monitor feature.
■ Add a new schedule.
■ Activate or deactivate an existing schedule.
■ Delete a schedule.
Monitoring scanning requests in the Core server only mode
To enable or disable the scan request monitor feature

1 Go to the Symantec Protection Engine installation directory and edit the
Configuration.xml file.
2 Configure monitoring of scanning requests.

Command:
xmlmodifier -s //configuration/Miscellaneous/RequestMonitoringSchedules/
EnableRequestMonitoring/@value true configuration.xml
Allowed values:
■ true
Enables monitoring scanning requests in Symantec Protection Engine.
■ false
Disables monitoring scanning requests in Symantec Protection Engine.
To add a new schedule
2 Add the following tags:
<Weekday>
<Schedule enable="true" start="<start time in 24-hour format>"
end="end time in 24-hour format" threshold="<requests per second>"/>
</Weekday>
For example:
<RequestMonitoringSchedules>
<EnableRequestMonitoring value="true"/>
<ExistingSchedules>
<Tuesday>
<Schedule enable="true" start="23" end="0" threshold="10"/>
</Tuesday>
</ExistingSchedules>
</RequestMonitoringSchedules>

Enabling resource consumption logging in the Core server only mode
To activate or deactivate an existing schedule

2 Edit the value in the following tag:
<Schedule enable="<value>" start="23" end="0" threshold="10"/>
Allowed values:
■ true
■ Activate an existing schedule.
■ false
Deactivate an existing schedule.

To delete a schedule
2 Delete the following tag:
<Schedule enable="<value>" start="23" end="0" threshold="10"/>

Enabling resource consumption logging in the Core

server only mode
Symantec Protection Engine captures the resources data every 5 seconds and logs it every
one minute. Thus, every minute 12 rows are added to the log file. The resource consumption
log files are saved in the default log directory as .rcl files.
To enable resource consumption logging in Symantec Protection Engine
2 Enable resource consumption logging.
Command:
xmlmodifier -s //configuration/Logging/LogResourceInfo/@enabled true
configuration.xml
Specifying the maximum file or message size to scan in the Core server only mode
Allowed values:
■ true
Enables resource consumption logging in Symantec Protection Engine.
■ false
Disables resource consumption logging in Symantec Protection Engine.
Default value: true
3 Specify the number of individual log files to retain (one per day).
Command:
xmlmodifier -s //configuration/Logging/LogResourceInfo/@logfilestokeep
Allowed values:
■ 0 to 365
Default value: 0
All resource consumption files will be maintained.
See “Monitoring Symantec Protection Engine resources” on page 102.
Specifying the maximum file or message size to scan

in the Core server only mode
If your client uses the ICAP protocol, you can specify a maximum size of files or messages to
scan. For messages, the maximum size includes the size of the entire message body and all
attachments. For container files, the maximum size includes the container file and all of its
contents. The files and mail messages that meet or exceed the maximum file size are blocked.
By default, Symantec Protection Engine has no limits on total file or message sizes.
To specify the maximum file or message size to scan
2 Specify the maximum file size (in bytes) that Symantec Protection Engine should accept.
Command:
xmlmodifier -s //filtering/FileAttribute/MaxFileSize/@value <value>
filtering.xml
Allowed values:
Setting container file limits in the Core server only mode
■ 1 to 4294967296 (4 GB)
■ 0
Default value: 0 (bytes)
Setting container file limits in the Core server only

mode
Symantec Protection Engine protects your network from the file attachments that can overload
the system and consume scanning performance and degrade performance.
This protection includes the container files that have any of the following characteristics:
■ Overly large.
■ Contain large numbers of embedded, compressed files.
■ Are designed to maliciously use resources and degrade performance.
To enhance scanning performance and reduce your exposure to denial-of-service attacks,
you can impose limits to control how Symantec Protection Engine handles container files.
You can specify the following limits for handling container files:
■ The maximum file size, in MB, for the individual files that are in a container file.
■ The maximum number of nested levels to be decomposed for scanning.
Symantec Protection Engine scans a file and its contents until it reaches the maximum depth
that you specify. Symantec Protection Engine stops scanning any file that meets the maximum
file size limit. It then generates a log entry. Symantec Protection Engine resumes scanning
any remaining files. This process continues until Symantec Protection Engine scans all of the
files to the maximum depth (that do not meet any of the processing limits).
You can specify whether to allow or to deny access to files for which an established limit is
met or exceeded. Access is denied by default.
Warning: If you allow access to a file that has not been fully scanned, you can expose your
network to risks.
To set container file limits

2 Specify the maximum file size, in MB, for individual files in a container file.
Setting container file limits in the Core server only mode
Command:
xmlmodifier -s //filtering/Container/MaxExtractSize/@value <value>
filtering.xml
Allowed values:
■ 1 to 131072 (MB)
The maximum value that you can specify for individual files in tar, rar, and zip containers
is 131072 MB (~128 GB). The maximum value that you can specify for other containers
is 1907 MB (~2 GB).
■ 0
Disables this setting (so that no limit is imposed).
Default value: 100 (MB)
3 Specify the maximum depth of the container file that Symantec Protection Engine can
extract for scanning.
Command:
xmlmodifier -s //filtering/Container/MaxExtractDepth/@value <value>
filtering.xml
Allowed values:
■ 1 to 50
Default value: 10
4 Specify the maximum number of files that Symantec Protection Engine can extract for
scanning.
Command:
xmlmodifier -s //filtering/Container/MaxExtractFileCount/@value <value>
filtering.xml
Allowed values:
■ 0 to 32212254720
Default value: 0
5 Specify the action for the container files that exceed the limit for extract depth, size, file
count, and maximum cumulative extract size.
Command:
xmlmodifier -s //filtering/Container/<MaxExtractDepth, MaxExtractSize,
MaxExtractFileCount, or MaxCumulativeExtractSize>/@actionpolicy <value>
filtering.xml
Allowed values:
Enabling URL filtering in the Core server only mode
■ 0
Creates a log entry and allows access to the file.
■ 1
Blocks access to the file.
For example,
To block the access to the container file that exceeds the limit for max extract file size,
run the following command:
xmlmodifier -s //filtering/Container/MaxExtractSize/@actionpolicy<value>
filtering.xml

Enabling URL filtering in the Core server only mode

Symantec Protection Engine is provided with minimum URL definitions. We recommend you
to run LiveUpdate and update the URL definitions before you start URL filtering.
URL filtering can be enabled during installation. If you did not enable URL filtering during
installation, follow the steps below to enable it.
To enable URL filtering in Symantec Protection Engine
2 Enable URL filtering.
Command:
xmlmodifier -s //filtering/URLFilter/@enabled true filtering.xml
Allowed values:
■ true
Enables URL filtering.
■ false
Disables URL filtering.
3 Select the Filtering mode or Audit mode.
Command:
xmlmodifier -s //filtering/URLFilter/FilteringMode/@value <value>
filtering.xml
Enabling URL Reputation in the Core server only mode
Allowed values:
■ 1
Filtering mode
■ 0
Audit mode
Default value: 1
Enabling URL Reputation in the Core server only mode

URL Reputation feature is disabled by default. You must enable it and configure the additional
parameters as per your requirements.
To enable URL Reputation
2 Enable URL Reputation.
Command:
xmlmodifier -s //filtering/URLReputation/@enabled true filtering.xml
Allowed values:
■ true
Enables URL Reputation.
■ false
Disables URL Reputation.
Denying access to URLs in URL categories in the Core

server only mode
Symantec Protection Engine includes predefined URL categories. URL categories consist of
URLs that contain related subject matter. You can deny access to URLs when you add the
category to the DenyVendorCategories list. When you deny access to a URL category, access
to the URLs that are contained in that category is denied. However, you can override the
categorization of a URL.
Customizing the access denied message in the Core server only mode

None of the URL categories are in the DenyVendorCategories list and access to the URLs
in every category is permitted by default. You must select the URL categories that you want
to add to the DenyVendorCategories list.
To deny access to URLs in URL categories
2 Add URL categories that you want to block.
Create a text file and add the URL categories, which you want to block. These categories
are case sensitive.
Command:
xmlmodifier -b //filtering/URLFilter/DenyVendorCategories/items <name of
the text file created above> filtering.xml
Allowed categories: Valid vendor categories to be blocked

See “About predefined URL categories” on page 118.
Customizing the access denied message in the Core

server only mode
Symantec Protection Engine displays an Access denied message to the user when access to
a Web site is blocked. The default message is as follows:
Access to the destination ${URL_REQUESTED} is prohibited. ${REASON}
You can customize the message using the following variables:
${URL_REQUESTED} The URL address that the user requested.
${REASON} An explanation of why the URL address that the user requests is blocked.
When a Web site is blocked due to URL violation, the ${REASON} variable
reads as follows:
Found in denied list <(category)>
where<(category)> is the URL or local category that contains the URL that
is denied.
Specifying the log bind address in the Core server only mode
To customize the access denied message

2 Customize the access denied message.
Command:
xmlmodifier -s //filtering/URLFilter/AccessDeniedMessage/@value <customized
message> filtering.xml
Default value: Access to the destination ${URL_REQUESTED} is prohibited. ${REASON}

See “Customizing the access denied message in the Core server only mode” on page 206.
Specifying the log bind address in the Core server

only mode
You can set a log bind address for each Symantec Protection Engine so that you can more
easily identify the originating protection engine. When you use this feature, the log bind address
of the originating Symantec Protection Engine is included in all alert messages.
For example, setting the log bind address is helpful if you have multiple Symantec Protection
Engines that listen on the loopback interface (127.0.0.1). The IP address on which Symantec
Protection Engine listens is used in SNMP and SMTP alert messages to identify the originating
Symantec Protection Engine. Therefore, it is not possible to determine which Symantec
Protection Engine originated the message when more than one uses the loopback interface.
You can set a unique log bind address for each Symantec Protection Engine to provide a
method for identifying each Symantec Protection Engine.
If your client uses ICAP and you do not specify a log bind address, Symantec Protection Engine
selects one for you. Symantec Protection Engine determines the log bind address based on
the scanning bind addresses.
Specifying the local logging level in the Core server only mode
To specify the log bind address in Symantec Protection Engine

2 In the Log bind address parameter, type an IP address to identify the computer on which
Symantec Protection Engine is running.
Command:
xmlmodifier -s //configuration/Logging/AlertBindAddress/@value <value>
configuration.xml
Allowed values: Valid IP address

Specifying the local logging level in the Core server

only mode
Symantec Protection Engine sends logging events to the local logs by default. You can change
the types of events that are sent to the local logs. The default logging level for the local logs
is Warning.
To specify the local logging level
2 Specify the local logging level.
Command:
xmlmodifier -s //configuration/Logging/LogLocal/@loglevel <value>
configuration.xml
Allowed values:
■ 0
None
■ 1
Error
■ 2
Outbreak
■ 3
Changing the directory where log files are located in the Core server only mode
Warning
■ 4
Information
■ 5
Verbose
■ 6
Audit
Default value: 3
The default logging level is Warning. Select Verbose only if you have been instructed to
do so by Symantec Technical Support to troubleshoot issues.
Changing the directory where log files are located in

the Core server only mode
You can change the location of the local log file and the statistics log files. You cannot change
the file names. The default location for the log files for Linux is opt/SYMCScan/log.
Symantec Protection Engine creates a new local log file for each day. The file names have
the following format: SSEyyyymmdd.log, where yyyy is the year, mm is the month, and dd is
the day.
The disk space that is required for the log files varies, depending upon your scan volume,
associated activity, and how long you retain the log files. The specified location must be large
enough to accommodate these files. If you change the log file location, old log files remain in
the former directory and are not removed during uninstallation. Old logs must be removed
manually.
Changing the number of log file to be maintained in the Core server only mode
To change the directory where log files are located

2 Change the directory where log files are located.
Command:
xmlmodifier -s //configuration/Logging/LogDir/@value "valid log directory"
configuration.xml
Allowed values: Valid directory path.

Default value: Symantec Protection Engine installation directory.
Linux: /opt/SYMCScan/log
Changing the number of log file to be maintained in

the Core server only mode
Symantec Protection Engine creates a new log file for each day. You can specify the number
of log files that Symantec Protection Engine retains to keep the log directory at a manageable
size. Thus, when the maximum number of log files is reached, the oldest log file is removed
on a daily basis. In its default configuration, this setting is enabled and the default value is 0.
That means all the log files are retained.
To change the length of time for which the log files are maintained
2 Specify the number of log files that you want to maintain.
Command:
xmlmodifier -s //configuration/Logging/LogLocal/@logfilestokeep <value>
configuration.xml
Allowed values: 0 to 365

Default value: 0
Enabling statistics reporting in the Core server only mode
Enabling statistics reporting in the Core server only

mode
You can configure Symantec Protection Engine to maintain and report cumulative scan data.
You must enable logging to the statistics logs so that you can view statistics reports. You can
select a date range and time range for the report and view the scanning statistics for that range.
Symantec Protection Engine creates a new statistics log file for each day. The file name has
the following format: SSEyyyymmdd.dat, where yyyy is the year, mm is the month, and dd is
the day.
The statistics log files are stored in the same location as the log files. The default location for
the log files for Linux is /opt/SYMCScan/log.
To enable statistics reporting in Symantec Protection Engine
2 Enable statistics reporting in Symantec Protection Engine.
Command:
xmlmodifier -s //configuration/Logging/LogStatistics/@enabled <true>
configuration.xml
Allowed values:
■ true
Enables statistics reporting in Symantec Protection Engine.
■ false
Disables statistics reporting in Symantec Protection Engine.
Default value: true
Configuring logging to the Linux Syslog in the Core

server only mode
If you are running Symantec Protection Engine on Linux, you can configure Symantec Protection
Engine to log events to the Linux Syslog. You can also select the types of events that are
Activating SMTP alerts in the Core server only mode
logged. The default logging level is None (deactivated). Logs are saved at /var/log/messages
location.
You must be running Symantec Protection Engine on Linux to use this feature.
To configure logging to the Linux Syslog
2 Configure logging to the Linux Syslog.
Command:
xmlmodifier -s //configuration/Logging/Syslog/@loglevel <value>
configuration.xml
Allowed values:
■ 0
None
■ 1
Error
■ 2
Outbreak
■ 3
Warning
■ 4
Information
■ 5
Verbose
■ 6
Audit

When you activate SMTP alerts, you must identify a primary SMTP server for forwarding alert
messages. You must also specify the email addresses of the recipients and the local domain
for Symantec Protection Engine. You can specify a second SMTP server if one is available.
You must select the types of events for which SMTP alert messages are generated.
To activate SMTP alerts

2 Configure the SMTP notification level.
Command:
xmlmodifier -s //configuration/Logging/LogSMTP/@loglevel <value>
configuration.xml
Allowed values:
■ 0
None
■ 1
Error
■ 2
Outbreak
■ 3
Warning
■ 4
Information
■ 6
Audit
Default value: 0
SMTP alerts are not activated by default. The SMTP notification level is set to None. The
Verbose notification level is not available for SMTP alerting.
3 In the Primary server address parameter, configure the IP address or host name of the
primary SMTP server that forwards the alert messages.
Command:
xmlmodifier -s //configuration/Logging/LogSMTP/@primary <value>
configuration.xml
Allowed values: Valid IP address or the host name of the SMTP server.
Activating SNMP alerts in the Core server only mode
4 In the secondary server address parameter, type the IP address or host name of a
secondary SMTP server (if one is available) that forwards the alert messages if
communication with the primary SMTP server fails.
Command:
xmlmodifier -s //configuration/Logging/LogSMTP/@secondary <value>
configuration.xml
Allowed values: Valid IP address or the host name of the SMTP server.
5 In the SMTP domain parameter, type the local domain for Symantec Protection Engine.
Command:
xmlmodifier -s //configuration/Logging/LogSMTP/@domain <domain name>
configuration.xml
The domain name is added to the "From" box for SMTP messages. SMTP alert messages
that Symantec Protection Engine generates originate from
SymantecProtectionEngine@<domainname>, where <domainname> is the domain name
that you specify in the SMTP domain parameter.
6 Create a text file and add the email addresses of the recipients of the SMTP alert
messages. You can add multiple email address in the same file. Ensure you type one
entry per line.
Command:
xmlmodifier -b //configuration/Logging/LogSMTP/RecipientList/items <name
of the text file created above> configuration.xml


To activate SNMP alerts, you must provide the SNMP community string and an IP address
for a primary SNMP console for receiving the alert messages. You can specify a second SNMP
console if one is available. A secondary SNMP console is optional. Alert messages are sent
to the primary SNMP console and secondary SNMP console in all instances. You can also
configure ports for the primary server and secondary server.
The Management Information Base file (symantecprotectionengine.mib) is located in the
Tools\MIB folder in the Symantec_Protection_Engine_Tools_8.1.0.XX_IN.zip file. You
can use the symantecprotectionengine.mib file to configure the SNMP alerts.
You must select the types of events for which SNMP alert messages are generated.
To activate SNMP alerts

2 Configure the SNMP notification level.
Command:
xmlmodifier -s //configuration/Logging/LogSNMP/@loglevel <value>
configuration.xml
Allowed values:
■ 0
None
■ 1
Error
■ 2
Outbreak
■ 3
Warning
■ 4
Information
■ 6
Audit
Default value: 0
SNMP alerts are not activated by default. The SNMP notification level is set to None. The
Verbose notification level is not available for SNMP alerting.
3 In the Primary server address parameter, configure the IP address or host name of the
primary SNMP server that forwards the alert messages.
Command:
xmlmodifier -s //configuration/Logging/LogSNMP/@primary <value>
configuration.xml
Allowed values: Valid IP address or the host name of the SNMP server.
Configuring outbreak alerts in the Core server only mode
4 In the Primary server port parameter, type the port number of the primary SNMP console
to receive the alert messages.
Command:
xmlmodifier -s //configuration/Logging/LogSNMP/@primaryport <value>
configuration.xml
Allowed values: Valid port number of the primary SNMP console to receive the alert
messages.
Default value: 162
5 In the secondary server address parameter, type the IP address or host name of a
secondary SNMP server (if one is available) that forwards the alert messages if
communication with the primary SNMP server fails.
Command:
xmlmodifier -s //configuration/Logging/LogSNMP/@secondary <value>
configuration.xml
Allowed values: Valid IP address or the host name of the SNMP server.
6 In the secondary server port parameter, type the port number of the primary SNMP console
to receive the alert messages.
Command:
xmlmodifier -s //configuration/Logging/LogSNMP/@secondaryport/<value>
configuration.xml
Allowed values: Valid port number of the secondary SNMP console to receive the alert
messages.
Default value: 162
Configuring outbreak alerts in the Core server only

mode
Symantec Protection Engine can issue alerts when a specified number of the same type of
threat or policy violation occurs in a given time interval. You can use outbreak alerts as an
early warning for potential outbreaks. Alerts of outbreaks can help you take the necessary
You can select the types of events for which you want to receive alerts. For each event type,
you can configure the threshold number of occurrences and the time interval. If the number
of occurrences meets or exceeds the configured threshold for the selected interval, Symantec
Protection Engine generates an alert.
Table 10-7 lists the outbreak alert events that you can configure.
Table 10-7 Outbreak alert events
Event Description
Virus A viral threat was detected.
Infection An infection was detected.
urlblock A URL was blocked due to a URL filtering violation.
ContainerLimit A maximum file extraction size or depth was met or exceeded.
FileAttribute Any file attribute violation was detected.
AnyNonViral A nonviral threat was detected.
SameNonViral One or more incidence of the same type of nonviral threat was
detected.
HighRisk A high risk rating threat was detected.
MediumRisk A medium risk rating threat was detected.
To configure outbreak alerts

2 Enable outbreak for a threat or policy violation event.
Command:
xmlmodifier -s //configuration/Logging/Outbreak/<Threat or Policy Violation
Event>/@enabled true configuration.xml
Where, threat or policy violation event can be Infection, Virus, ContainerLimit,

FileAttribute, urlblock, AnyNonViral, SameNonViral, HighRisk, and MediumRisk.
Allowed values:
■ true
Enables an outbreak alert.
■ false
Disables an outbreak alert.
For example, to enable an outbreak alert for container limit violation,

xmlmodifier -s //configuration/Logging/Outbreak/ContainerLimit/@enabled
true configuration.xml
3 Configure time interval for an outbreak alert.

This parameter configures time interval. If number of threats or policy violations detected
are more than the configured threshold value in this time interval, Symantec Protection
Engine generates an outbreak alert.
Command:
Event>/@interval <interval in seconds> configuration.xml
Where, threat or policy violation event can be Infection, Virus, ContainerLimit,

FileAttribute, urlblock, AnyNonViral, SameNonViral, HighRisk, and MediumRisk.
Allowed values: 1 to 1000000 seconds
Default value: 1 second
For example, to configure the time interval for container limit violation,
xmlmodifier -s //configuration/Logging/Outbreak/ContainerLimit/@interval
4 Configure the threshold value for an outbreak alert.

This parameter configures a threshold value for a threat or policy violation. If those threat
or policy violations detected are more than the configured threshold value in the configured
time interval, Symantec Protection Engine generates an outbreak alert.
Command:
Event>/@threshold <threshold value> configuration.xml
Where, threat or policy violation event can be Infection, Virus, FileAttribute, urlblock,
AnyNonViral, SameNonViral, HighRisk, and MediumRisk.
Allowed values: 2 to 1000000
Default value: 2
For example, to configure the threshold value for container limit violation,
xmlmodifier -s //configuration/Logging/Outbreak/ContainerLimit/@threshold

Configuring LiveUpdate to occur automatically in the Core server only mode
Configuring LiveUpdate to occur automatically in the

Core server only mode
You can schedule LiveUpdate to occur automatically at a specified time interval to ensure that
Symantec Protection Engine always has the most current definitions. When you install a valid
antivirus content license or URL content license, Symantec Protection Engine automatically
tries to perform a LiveUpdate. By default, Symantec Protection Engine is configured to perform
a LiveUpdate every two hours.
When LiveUpdate is scheduled, it runs at the specified time interval that is relative to the
LiveUpdate base time. The default LiveUpdate base time is the time that Symantec Protection
Engine was installed. You can change the LiveUpdate base time by editing the configuration
file. If you change the scheduled LiveUpdate interval, the interval adjusts based on the
LiveUpdate base time.
You can also schedule LiveUpdate to occur at a specific time or a time range of the day. You
can specify the hour and minute of the day, and the LiveUpdate will trigger at the specified
time. If you don’t want LiveUpdate to trigger exactly at start hour and minute, you can specify
the time range of 30 minutes. LiveUpdate triggers at random time between the specified time
range.
To schedule a LiveUpdate at a specific frequency
2 Enable LiveUpdate schedule to occur at a specific time interval.
Command:
xmlmodifier -s //liveupdate/Schedule/@enabled true liveupdate.xml
Allowed values:
■ true
Enables LiveUpdate.
■ false
Disables LiveUpdate.
Default value: true
Configuring LiveUpdate to occur automatically in the Core server only mode
3 In the LiveUpdate interval list, select the interval.

Command:
xmlmodifier -s //liveupdate/Schedule/Interval/@value <value> liveupdate.xml
Allowed values: Any numerical value in seconds.

Default value: 7200
To schedule a LiveUpdate at a specific time or range of the day
2 Schedule a LiveUpdate to trigger at a specific time range of the day.
Command
xmlmodifier -s //liveupdate/TimeRangeSchedule/@enabled liveupdate.xml
Allowed values:
■ true
Enable LiveUpdate schedule at a specific time range.
■ false
Disable LiveUpdate schedule at a specific time range.
3 Specify start hour of LiveUpdate schedule.
Command
xmlmodifier -s //liveupdate/TimeRangeSchedule/TimeRange/@starthour
liveupdate.xml
Allowed values:
■ 0 to 23 hours
Default value: 0
4 Specify start minute of LiveUpdate schedule.
Command
xmlmodifier -s //liveupdate/TimeRangeSchedule/TimeRange/@startminute
liveupdate.xml
Allowed values:
■ 0 to 59 minutes
Default value: 0
Performing LiveUpdate on demand in the Core server only mode
5 Specify the time window up to 30 minutes to trigger the LiveUpdate.

If you don’t want LiveUpdate to trigger exactly at the start hour and minute, you can use
time window up to 30 minutes. For example, If you specify time window of 20 minutes,
LiveUpdate will trigger at any time during these 20 minutes from the start time.
Command
xmlmodifier -s //liveupdate/TimeRangeSchedule/TimeRange/@timewindow
liveupdate.xml
Allowed values:
■ 0 to 29 minutes
Default value: 0
Performing LiveUpdate on demand in the Core server

only mode
You can use the command line to schedule LiveUpdate. LiveUpdate ensures that Symantec
Protection Engine always has the most current definitions. You must create an empty file within
the directory in which Symantec Protection Engine is installed. The empty file name must be
LUNowFlag. Symantec Protection Engine periodically checks for this file and performs a
LiveUpdate when this file is present. Symantec Protection Engine automatically removes the
file before the LiveUpdate command runs.
You can choose to create the LUNowFlag file periodically by using schedulers. On Linux, you
use the Unix cron scheduler.

You must configure LiveUpdate in the liveupdate.xml file so that Symantec Protection Engine
always has the most current definition files.
Table 10-8 lists the default parameters that are added to the liveupdate.xml file.
Table 10-8 Default Parameters in liveupdate.xml file
Parameter Description
Protocol Updated definition files are retrieved through HTTP or HTTPS.

This information is required unless you use a host file. The
default setting for the LiveUpdate transport protocol is HTTP.
XPath: /liveupdate/UpdateServer/Protocol/@value
Server name Symantec Protection Engine contacts a specified server to

check for and to retrieve updated definition files. You must
supply the appropriate LiveUpdate server name. The default
server is liveupdate.symantec.com.
XPath: /liveupdate/UpdateServer/Server/@value
Server port You must specify the TCP/IP port the LiveUpdate server server
is listening on. The default value is 80.
XPath: /liveupdate/UpdateServer/Port/@value
Server path Specify the directory on the LiveUpdate server that contains
the LiveUpdate packages.
XPath: /liveupdate/UpdateServer/Path/@value
User name Specify a user name to log on to the LiveUpdate server.
XPath: /liveupdate/UpdateServer/UserName /@value

Password Specify a password to log on to the LiveUpdate server.
XPath: /liveupdate/UpdateServer/Password/@value

Appendix A
Performing a silent
installation
This appendix includes the following topics:
■ About silent installation and upgrade
■ Implementing a silent installation in Linux
■ Generating an encrypted password
About silent installation and upgrade

You can use the silent installation feature to automate the installation or upgrade of Symantec
Protection Engine. You can use the silent installation feature when you install or upgrade
multiple Symantec Protection Engines that have identical input values.
In Linux, you can capture the required input values for installation in a response file. You can
use the response file for subsequent installations to read in the values so that the installations
are silent. This response file frees you from having to repeatedly supply input values for each
installation.
See “Implementing a silent installation in Linux” on page 223.
See “Generating an encrypted password” on page 229.
Implementing a silent installation in Linux

Implementing a silent installation in Linux involves the following process:
■ Create a response file to capture your input values for installation.
See “Creating the response file” on page 224.
■ Run the installation program to read the response file.
Performing a silent installation 224
This response file lets you perform the installation silently using the values that you specified.
See “About initiating a silent installation using the response file” on page 229.
See “About silent installation and upgrade” on page 223.
Creating the response file

To implement a silent installation in Linux, you must create a response file that contains the
parameters and input values for the required responses during installation. You can create
different response files for different installation scenarios. You must create the response file
before you install Symantec Protection Engine.
A default response file, called response, is included in the Symantec Protection Engine.zip
file. The response file is a text file that is preconfigured with the default settings for the Symantec
Protection Engine installation options. You must edit this response file so that it contains the
input values that you want for the silent installation.
For silent installation to initiate, the response/no-ask-questions file must be present in the
home directory of the user.
Note: Do not delete any of the parameters in the response file. The installer must read an input
value for each parameter. You must specify an input value for each parameter.
Table A-1 lists the input values that are contained in the response file.
Table A-1 Input values in the response file
Input name Description
Upgrade Specifies that the installation is an upgrade.
Possible values are:
■ NONE
Use this value if you do not want to perform an upgrade. This value
is the default value.
■ UPGRADE
Use this value if you want to upgrade and you want to preserve your
existing settings. You must configure all of the Java inputs values. All
other input values are ignored.
■ CLEAN
Use this value to uninstall and reinstall the product. Configure the
input values that you want to modify.
AdminPort The port number on which the Web-based console listens. The default
port number is 8004.
Table A-1 Input values in the response file (continued)
AdminPassword The encrypted password for the virtual administrative account that you
use to manage Symantec Protection Engine.
The default password is changeme.
SSLPort The Secure Socket Layer (SSL) port number on which encrypted files
are transmitted for increased security.
The default port number is 8005.
InstallDir The location where to install Symantec Protection Engine.
User The name of an existing user under which Symantec Protection Engine
runs.
The default setting is root.
JavaCmd The full path (can be a symlink) to the 64-bit Java Runtime Environment
(JRE) 8.0 Update 111 or later executables.
JavaBinDir The full path (can be a symlink) to the 64-bit Java Runtime Environment
(JRE) 8.0 Update 111 or later executables.
The installer assumes that the path that you enter is correct. If the path
is incorrect or the JRE version is not the correct version, Symantec
Protection Engine does not function properly. (Symantec Protection Engine
might not function properly even if the installer reports that the installation
was successful.)
JRELibDir You must provide this information so that the LD_LIBRARY_PATH variable
can locate the file libjvm.so.
This version of Symantec Protection Engine supports 64-bit Java Runtime

Environment (JRE) 8.0 Update 111 or later. Value of JavaJRELib is
different for JRE 8 and JRE 10.
For JRE 8:
JavaJRELib=<java_base_location>/jre/lib/amd64
For JRE 10:
JJavaJRELib=<java_install_location>/jre-10.0.2/lib
The installer assumes that the path that you enter is correct. If the path
that you provide is incorrect, Symantec Protection Engine does not
function properly even if the installer reports that the installation was
successful.
CanRelocate (Linux only) The Boolean value that indicates the version of the Red Hat Package
Manager (RPM) that you are running. If you are running RPM versions
4.0.2 or 4.1, change this setting to 0. If you are not running RPM version
4.0.2 or 4.1, do not change the default setting. The default setting is 1.
EnableFilteringAnd Enables URL Filtering and downloading of the URL definitions.

DownloadDefinitions Possible values are as follows:
■ true: Use this value if you want to enable URL filtering in filtering mode
and Download URL definitions.
■ false: Use this value if you want to disable URL Filtering and Definition
Download.
This value is the default value.
UpdateServer Enter the LiveUpdate server name or IP address to which you want to
connect.
This parameter is valid only for an upgrade where you preserve your
existing settings. The default value is liveupdate.symantec.com.
UpdateServerPort Enter the LiveUpdate server port number.
existing settings. The default value is 80.
UpdateServerPath Enter the directory path on the LiveUpdate server that contains the
LiveUpdate packages.
existing settings. If you do not specify a value, the default is blank.
UpdateServerProxyName Enter the LiveUpdate proxy server name or IP address.
existing settings. If you do not specify a value, the default is blank.
UpdateServerProxyPort Enter the LiveUpdate proxy server port number.
existing settings. The default value is 0.
Deployment Enter the application type.

Possible values are as follows:

This is the default value.
ApplicationName Enter the name of the application for which Symantec Protection Engine
will be used. This parameter will be considered only if Deployment value
is 2 (Other Application).
IgnoreGlibcWarning Symantec Protection Engine checks for the glibc component version
during installation. Warning appears if minimum required glibc version is
not found.
Possible values are as follows:
■ true: Ignores the warning for old version of glibc. Installation continues
for older versions of glibc also. Unsupported version of glibc may
cause Symantec Protection Engine to stop responding.
■ false: Doesn’t ignore the warning for old version of glibc. Installation
is canceled.
AggressionLevel The scanning aggression level defines the detection aggression level for
threat detection technologies. Configure the scanning aggression level.
■ 0 (Known Bad)
■ 1 (Low)
■ 2 (Medium)
■ 3 (High)
EnableJavaUI Enables the Core server with user interface feature.

■ true: Use this value if you want to use the Core server with user
interface mode.
This method requires JRE to be installed.
■ false: Use this value if you want to use the Core server only mode.
This method does not require JRE to be installed.
EnableURLReputation Enables URL Reputation

AndDownloadDefinition
■ true:
Enables URL Reputation and downloads URL definitions.
■ false:
Disables URL Reputation
To create the response file for Linux

1 Locate the response file, response, in the Symantec Protection Engine.zip file and copy
it to the home directory of the user.
Note: For the silent installation to initiate, the response file must be located in the /home
directory of the user.
2 Rename the file as no-ask-questions and open the file.

3 Supply the input value for each parameter.
Make changes only to the right of the equal sign (=) for each parameter.
Generating an encrypted password
4 At AdminPassword=, copy and paste the encrypted string that the XML modifier
command-line tool generated.
Ensure that you have copied the encrypted string in its entirety.
5 Save the file.
See “About initiating a silent installation using the response file” on page 229.
About initiating a silent installation using the response file

Ensure that the appropriate response file, called no-ask-questions, is located in the home
directory of the root user. The silent installation initiates automatically if the installer finds the
response file in the correct location. The existence of the no-ask-questions file in the home
directory tells the installer to perform the silent installation using the input values in the file.
Note: The no-ask-questions file is not deleted after the silent installation.

Generating an encrypted password

Use the XML modifier command-line tool to protect the administrative password that is used
to manage Symantec Protection Engine. This tool encrypts the password and returns an
encrypted string. You must copy the encrypted string in its entirety and paste it in the appropriate
location in the response file. The XML modifier command-line tool is included on the product
.zip file.
To generate an encrypted password
1 At the command prompt, type the following command:
xmlmodifier -e password
where <password> is the password that you will use to access the Symantec Protection
Engine console.
The tool returns an encrypted string.
2 Save the entire encrypted string that the tool returns.
Appendix B
Using the Symantec
Protection Engine
commnad-line scanner
■ About the Symantec Protection Engine command-line scanner
■ Setting up a computer to submit files to Symantec Protection Engine for scanning
■ C-based command-line scanner syntax and usage
■ Java based command-line scanner syntax and usage
About the Symantec Protection Engine command-line

scanner
The Symantec Protection Engine command-line scanner is a multiplatform utility that works
with version 4.0.4 or later of Symantec Protection Engine. Symantec Protection Engine must
be running on supported versions of Linux. The command-line scanner acts as a client to
Symantec Protection Engine through the Symantec Protection Engine application programming
interface (API). It uses version 1.0 of the Internet Content Adaptation Protocol (ICAP), presented
in RFC 3507 (April 2003).
Symantec Protection Engine is shipped with the following command-line scanners:
■ C-based command-line scanner (ssecls.exe) compiled using the C software development
kit
See “C-based command-line scanner syntax and usage” on page 232.
Using the Symantec Protection Engine commnad-line scanner 231
Setting up a computer to submit files to Symantec Protection Engine for scanning
■ Java based command-line scanner (ssecls.jar) compiled using the Java software
development kit
See “Java based command-line scanner syntax and usage” on page 247.
Note: The command-line scanner (ssecls.exe/ssecls.jar/ssecls binary) that is shipped with

Symantec Protection Engine is meant for demonstration purposes to showcase the capabilities
of the product in a limited manner. Symantec recommends that you develop your own connector
application based on the SDK that is shipped with Symantec Protection Engine.
Use the command-line scanner to send files to Symantec Protection Engine to be scanned
for viruses.
You can also use the command-line scanner to perform the following actions:
■ Recursively descend into subdirectories to scan multiple files.
■ Obtain information about the command-line scanner and Symantec Protection Engine
operation.
See “Setting up a computer to submit files to Symantec Protection Engine for scanning”
on page 231.
Setting up a computer to submit files to Symantec

Protection Engine for scanning
You can send files to Symantec Protection Engine by using the command-line scanner. You
can run this tool from the computer on which Symantec Protection Engine is running or from
a different computer. You can send files from a computer with a different operating system
than the computer on which Symantec Protection Engine is installed.
To use the command-line scanner, you must select ICAP as the communication protocol for
Because files are sent to Symantec Protection Engine for scanning, you can only specify files
or directories for which you have the appropriate permissions. To send files, you must have
read access to the files. To replace or delete files, you must have permission to modify or
delete files. You must also have access to the directory where the files are located.
If you send files from the same computer on which Symantec Protection Engine runs, you do
not need to install any additional files for the command-line scanner. The appropriate files are
installed automatically during the installation of Symantec Protection Engine.
You can use the command-line scanner to submit files for scanning from a computer that does
not have Symantec Protection Engine installed. You must copy the command-line scanner
files to the computer.
C-based command-line scanner syntax and usage
The ssecls files are organized into subdirectories by operating system. Use the files for the
operating system of the computer from which you want to submit files for scanning.
Follow these procedures to set up a computer to submit files for scanning from a computer
that does not have Symantec Protection Engine installed.
To set up a computer to submit files for scanning
1 Obtain copies of the command-line scanner files from one of the following locations:
■ In the Symantec Protection Engine.zip file, in the top-level Command_Line_Scanner
directory.
■ On the computer on which Symantec Protection Engine is installed, in the Symantec
Protection Engine installation directory, in the ssecls subdirectory (Linux).
2 Copy the entire contents of the directory for the appropriate operating system.
3 On the computer from which you want to submit files for scanning, place the files in a
directory location that is in the command prompt path.

The C-based command-line scanner of Symantec Protection Engine uses the following general
syntax:
ssecls [-options] <path> [<path>...]
The <path> parameter lets you specify one or more files or directories to scan. Each file or
directory must be separated by spaces. You can use the absolute or relative path. If the
specified path is to a file, the file is scanned. If the path is to a directory, all of the files in the
directory are scanned.
Note: Do not use a path with a symbolic link. Symantec Protection Engine does not follow a
symbolic link to a file.
On Linux, set the LD_LIBRARY_PATH environment variable to the directory, which contains
the ssecls binary.
export LD_LIBRARY_PATH=/opt/SYMCScan/ssecls/C
You can specify any combination of files and directories. You must separate multiple entries
with a space. For example:
ssecls [-options] <pathtofile1> <pathtofile2> <pathtofile3>
You can specify any mounted file system, mount point, or mapped drive. For example:
C:\Work\Scantest.exe
/export/home/
Follow the standard formats for your operating system for handling path names (for example,
special characters, quotation marks, or wildcard characters).
If you have specified a directory for scanning and want Symantec Protection Engine to descend
into subdirectories to scan additional files, you must also use the -recurse option.
See “About requesting recursive scanning” on page 243.
You can only specify files or directories for which you have appropriate permissions. To send
files, you must have read access to the files. To replace or delete files, you must have
permission to modify or delete the files. You must also have access to the directory where the
files are located.
If you do not specify a path, input data is read from standard input (STDIN) and sent to
Symantec Protection Engine for scanning. After the scan, the data (original file, if it was clean)
is written to standard output (STDOUT). If a file is infected, no data is written to STDOUT.
Note: DBCS path names in scan requests should not be converted to Unicode (UTF-8) encoding
before the path is passed to Symantec Protection Engine.
on page 231.
See “Supported command-line options for C-based command-line scanner” on page 234.
See “About specifying the Symantec Protection Engine IP address and port for C-based
command-line scanner” on page 238.
See “About specifying the antivirus scanning mode for C-based command-line scanner”
on page 239.
See “About obtaining scan results for C-based command-line scanner” on page 240.
See “About disposing of infected files when an error occurs” on page 243.
See “Excluding files from scanning” on page 244.
See “Redirecting console output to a log file” on page 245.
See “About scanning files in Symantec Protection Engine using different services/APIs”
on page 245.
See “About using Insight command options with C-based command-line scanner” on page 246.
Supported command-line options for C-based command-line scanner

Table B-1 describes the options that the command-line scanner supports.
Table B-1 Supported options for the C-based command-line scanner
Option Description
-server Specify one or more Symantec Protection Engines for scanning files.
You must separate multiple entries with a semicolon. If you do not specify a
Symantec Protection Engine, the server option defaults to the local host that
listens on the default port.
The format for each Symantec Protection Engine is <IPaddress:port>, where

IPaddress is the DNS name or IP address of the computer on which Symantec
Protection Engine is running, and port is the port number on which Symantec
Protection Engine listens.
Note: When more than one Symantec Protection Engine is specified, the load
balancing and failover features of the API are activated automatically.
See “About specifying the Symantec Protection Engine IP address and port for
C-based command-line scanner” on page 238.
-mode Optionally override the default antivirus scanning mode.

The scanning modes that you can select are as follows:
■ Scanrepairdelete
If you do not specify a scanning mode, the scan policy defaults to
scanrepairdelete. Symantec Protection Engine tries to repair infected files.
Files that cannot be repaired are deleted. This configuration is the
recommended setting.
■ Scan
Files are scanned, but no repair is tried. Infected files are not deleted.
■ Scanrepair
Symantec Protection Engine tries to repair infected files. Files that cannot be
repaired are not deleted.
Note: Symantec Protection Engine version 8.1 does not support repair of infected
files.
See “About specifying the antivirus scanning mode for C-based command-line
scanner” on page 239.
Table B-1 Supported options for the C-based command-line scanner (continued)
Option Description
-verbose Report detailed information about the file that is scanned.

When you use this option, a line of output is printed to STDOUT for each file that
is scanned. The information includes both the name of the file and the result of
the scan, including the final disposition of the file.
See “About using the -verbose option” on page 240.
-details Report detailed information about the infections or violations that are found.
When you use this option, a block of text is printed to STDOUT for each file that
is scanned. The output text indicates the name of the file that was scanned and
the result of the scan. If the file is infected or violates an established policy, the
output text also provides information about the violation or infection.
Note: If you use the -details option, you do not need to use the -verbose option.
The output for the -verbose option is duplicated as part of the output for the
-details option.
See “About using the -details option” on page 241.
-timing Report the time that was required to scan a file.
is scanned. The output includes the name of the file that was scanned and the
time that it took Symantec Protection Engine to scan the file.
See “About using the -timing option” on page 242.
-recurse Recursively descend into the subdirectories that are inside each path that is
specified on the command line.
-onerror Specify the disposition of a file that has been modified by Symantec Protection
Engine when an error occurs when Symantec Protection Engine replaces a file.
The default setting is to delete the file. You can specify one of the following:
■ Leave
The original (infected) file is left in place.
■ Delete
The original (infected) file is deleted, even though the replacement data is
unavailable.
See “About disposing of infected files when an error occurs” on page 243.
Option Description
-exclude Specify a path of rule file to exclude certain files from scanning. You can exclude
files by name from being scanned.
-maxsize Specify maximum file size in bytes to exclude the files that exceed a limit from
being scanned.
Files that exceed the maximum file size limit are not sent to Symantec Protection
Engine for scanning.
-log The command-line scanner redirects the console output to a log file. When the
scan finishes, Symantec Protection Engine writes a summary to the log file (if
you are running in log mode) and the screen. The summary shows the number
of files that were scanned and the number of viruses found.
See “Redirecting console output to a log file” on page 245.
-api The command-line scanner now includes services for supporting Symantec
Insight™ , better categorization of threats, and unscannable file handling features.
You can specify one of the following options:
■ 0: Scan file with legacy API's.

Note: This is the default value.
■ 1: Scan file with enhanced threat categorization API's.
■ 2: Scan file with Insight API's.
See “About scanning files in Symantec Protection Engine using different

services/APIs” on page 245.
-disableinsight Disable the Symantec Insight feature.

Note: This service is applicable only if -api = 2.
See “About using Insight command options with C-based command-line scanner”
on page 246.
Option Description
-digitallysigned Specify if the file is digitally signed.

■ 0: File is not digitally signed.

■ 1: File is digitally signed.
on page 246.
-SHA256 Specify the SHA256 value of the file.

on page 246.
-MD5Hash Specify the MD5 value of the file.

on page 246.
-SourceIP Specify the source IP of the file.

on page 246.
-SourceURL Specify the source URL of the file.

on page 246.
Option Description
-aggressionlevel Set the scanning aggression level.

■ 0: Known Bad
■ 1: Low
■ 2: Medium
■ 3: High
on page 246.
-reportinsightinfo Enable or disable the Insight information for the file.

■ 0: Symantec Protection Engine does not provide reputation information in

ICAP response.
■ 1: Symantec Protection Engine provides information in ICAP response for
Insight convicted files.
on page 246.

port for C-based command-line scanner
The -server option lets you specify one or more Symantec Protection Engines for scanning
files. If you do not specify a Symantec Protection Engine, the server defaults to the local host
that listens on the default port.
The format for each Symantec Protection Engine entry is <IPaddress:port>, where IPaddress
is the DNS name or IP address of the computer on which Symantec Protection Engine is
running, and port is the port number on which Symantec Protection Engine listens. You only
need to specify the port number if Symantec Protection Engine is installed on a port other than
the default. (The default port number for ICAP is 1344.) For example:
ssecls -server 192.168.0.100 c:\temp
ssecls -server 192.168.0.100:5555 c:\temp

You can specify multiple Symantec Protection Engines. You must separate multiple entries
with a semicolon. For example:
ssecls -server 192.168.0.100:1344;192.168.0.101:1344 c:\temp
When more than one Symantec Protection Engine is specified, the load balancing and failover
features of the API are activated automatically. The Symantec Protection Engine API provides
scheduling across any number of computers that are running Symantec Protection Engine.
When multiple Symantec Protection Engines are used, the API determines which Symantec
Protection Engine should receive the next file based on the scheduling algorithm.
If a Symantec Protection Engine is unreachable or stops responding during a scan, another
Symantec Protection Engine is called. The faulty Symantec Protection Engine is taken out of
rotation for 30 seconds. If all of Symantec Protection Engines are out of rotation, the faulty
The API does not stop trying to contact Symantec Protection Engine unless any of the following
conditions occur:
■ At least five engines do not function.
■ It appears that a file that was scanned might have caused more than one engine to stop
responding.
About specifying the antivirus scanning mode for C-based

command-line scanner
The -mode option lets you override the default antivirus scanning mode for the command-line
scanner. The default scanning mode is scanrepairdelete.
You do not need to specify an antivirus scanning mode to use the default setting.
Scanrepairdelete is the recommended setting.
To override the default antivirus scanning mode, you can specify one of the following scanning
modes using the -mode option:
Scan Files are scanned, but no repair is tried. Infected files are not deleted.
Scanrepair Symantec Protection Engine tries to repair infected files. Files that cannot be repaired
are not deleted.
For example:
ssecls -server 192.168.0.100:1344 -mode scanrepair c:\temp
When files are sent to Symantec Protection Engine using the command-line scanner, the
command-line scanning mode overrides the scan policy configuration on Symantec Protection
Engine. This override includes scanning the files that are embedded in container files. If you
do not specify a scanning mode using the -mode option, the default setting (scanrepairdelete)
applies.
About obtaining scan results for C-based command-line scanner

Use the following options to obtain detailed information about a scan:
■ -verbose
See “About using the -verbose option” on page 240.
■ -details
See “About using the -details option” on page 241.
■ -timing
See “About using the -timing option” on page 242.
These options are not available if you use the pipe mode to send a file for scanning.
About using the -verbose option

Use the -verbose option to obtain information about each file that is scanned. When this option
is used, a line of output is printed to STDOUT for each file. The information includes the name
of the file, the result of the scan, and the final disposition of the file. For example, consider the
following command:
ssecls -server 192.168.0.100:1344 -verbose c:\work\filea c:\work\fileb
c:\work\filec c:\work\filed
Table B-2 lists the possible scan result codes.
Table B-2 Possible scan result codes for the -verbose option
Result code Description
-2 An error occurred within Symantec Protection Engine. The file was not scanned.
-1 An error occurred within the command-line scanner. The file was not scanned.
Table B-2 Possible scan result codes for the -verbose option (continued)
Result code Description
0 The file was successfully scanned and is clean.

This code can have any of the following meanings:
■ The file was not infected.

■ The file was a container file that contains the embedded files that were infected
and were deleted.
1 The file was successfully scanned and was not deleted.
2 The file was successfully scanned and was deleted.
The output when four files (for example, a, b, c, and d) are scanned should look similar to the
following:
c:\work\filea -1
c:\work\fileb 2
c:\work\filec 2
c:\work\filed 0
About using the -details option

Use the -details option to obtain information about the infections or violations that are found.
When this option is used, a block of text is printed to STDOUT for each file that is infected or
that violates an established policy. The output text indicates the name of the file, information
about the infection or the violation, and the result of the scan. For example, consider the
following command:
ssecls -server 192.168.0.100:1344 -details c:\work\filea c:\work\fileb
The output includes the following information:
Problem name Virus name or description of the container violation
Problem ID Virus ID for viruses or pseudo-ID for policy violations
Disposition Infected or deleted

Note: The output data mirrors the information that Symantec Protection Engine returns for
each infection or violation that is identified. It might not reflect the final disposition of the file.
The code for the scan results indicates the final disposition of the file. This information is also
displayed when you use the -verbose option.
The output when four files (for example, a, b, c, and d) are scanned and files c and d are found
to be infected with the Kakworm.c virus should look similar to the following example:
c:\work\filec 2
Kakworm.c
2832
Infected
c:\work\filed 2
Kakworm.c
2832
Infected
About using the -timing option

Use the -timing option to examine the time that is required to scan each file. For example,
consider the following command:
ssecls -server 192.168.0.100:1344 -timing c:\work\filea c:\work\fileb
When this option is used, a line of output is printed to STDOUT for each file that is scanned.
The output includes the name of the file that was scanned and the time that it took Symantec
Protection Engine to scan the file.
The reported scan time is calculated as the elapsed time between when the connection with
Symantec Protection Engine opens and closes. The time is reported in seconds with millisecond
accuracy.
The output when four files (for example, a, b, c, and d) are scanned should look similar to the
following example:
c:\work\filea 0.018s
c:\work\fileb 0.013s
c:\work\filec 0.43s
c:\work\filed 0.03s
About requesting recursive scanning

Use the -recurse option to recursively descend into the subdirectories that are inside each
path that is specified on the command line. By default, the command-line scanner does not
recursively search directories for files to send to Symantec Protection Engine for scanning.
You must use the -recurse option to do so, as in the following example:
ssecls -server 192.168.0.100:1344 -recurse c:\winnt
Note: The recursive option does not apply when you use pipe mode.

About disposing of infected files when an error occurs

The -onerror option specifies how to dispose of a file that Symantec Protection Engine has
experienced an error when trying to replace the file. The default setting is to delete the file.
You can specify one of the following settings:
Leave The original (infected) file is left in place.
Delete The original (infected) file is deleted, even though the replacement data is
unavailable.
For example:
ssecls -server 192.168.0.100:1344 -onerror delete c:\temp
Note: This option does not apply when you use pipe mode.

Excluding files from scanning

Use the command-line scanner to exclude certain files from scanning. When the scan finishes,
Symantec Protection Engine writes a summary to the log file (if you are running in log mode)
and to the screen. The summary shows the number of files that were scanned and the number
of viruses found.
You can use the command-line scanner to exclude files in the following ways:
■ Exclude the files that exceed a limit from being scanned
■ Exclude files by name from being scanned
To exclude the files that exceed a limit from being scanned
◆ Type the following argument:
-maxsize <bytes>
where <bytes> is the maximum file size to be scanned.

Files that exceed the maximum file size limit are not sent to Symantec Protection Engine
for scanning.
To exclude files by name from being scanned
-exclude <path>
where <path> is the path to the rule file.

The format for a rule file is one string per line, where the string can contain one of the
following:
File name All files by that file name are excluded from scanning regardless of the folders
in which they are found. To exclude all files with a specific extension, use *.ext.
(This instance is the only supported use of a wildcard character.)
For example, memo.doc.
Full path name Only this specific file is excluded from scanning.
For example, C:\Documents\memo.doc
Full directory path Every file in this directory is excluded from scanning.
names
For example, C:\Documents

Redirecting console output to a log file

Use the command-line scanner to redirect console output to a log file. When the scan finishes,
Symantec Protection Engine writes a summary to the log file (if you are running in log mode)
and the screen. The summary shows the number of files that were scanned and the number
of viruses found.
To redirect console output to a log file
-log <path>
where <path> is a full or partial path to a file.

The file is created if it does not exist. If the file exists, it is overwritten. Most output is sent
to the log file instead of the screen when you use in this mode. Ssecls writes a series of
dots to the screen as it scans files so that you can view the progress.

services/APIs
Symantec Protection Engine now includes services for supporting Insight,better categorization
of threats and unscannable file handling features. These services provide Insight information,
additional threat information and unscannable file count in ICAP response. For more information,
see the Symantec Protection Engine Software Developer's Guide.
The -api option specifies what service to use to scan the file. The default setting is to use the
old API to scan files.
Table B-3 describes options for scanning files in Symantec Protection Engine.
Table B-3 Options to scan file in Symantec Protection Engine
Option Description
0 Scan file with legacy API's.

1 Scan file with enhanced threat categorization API's.
2 Scan file with Insight API's.
For example:
ssecls -server 192.168.0.100:1344 -api 1 c:\test.txt
ssecls -server 192.168.0.100:1344 -api 1 /test.txt


About using Insight command options with C-based command-line

scanner
Table B-4 explains the insight-specific command options that can be set from the command-line
scanner at run time.
Note: The command options explained in Table B-4 are optional. To use these Insight command
options, make sure that you set the value of -api to 2.
Table B-4 Insight command options
Options Description
-disableinsight This command option lets you specify if you want to enable/disable
Insight.
If Insight is disabled, all other Insight-specific command options are

ignored.
-digitallysigned This command option lets you specify if the file is digitally signed or
not. By default, Symantec Protection Engine checks if the file is digitally
signed or not.
If the file is not digitally signed, it saves on the time that Symantec
Protection Engine takes to check the digital signature information. This
improves the Insight query performance.
-SHA256 This command option lets you specify the SHA256 hash value of the
file. Symantec Protection Engine calculates the SHA256 value, if not
provided.
You may want to provide the SHA256 value to save on the time taken
to calculate the SHA256 value.
-MD5Hash This command option lets you specify the MD5 hash value of the file.
If specified Symantec Protection Engine may use it for the Insight query.
-SourceIP This command option lets you specify the IP address of the source
from where the file is downloaded.
-SourceURL This command option lets you specify the URL of the source from where
the file is downloaded.
Java based command-line scanner syntax and usage
Table B-4 Insight command options (continued)
Options Description
-aggressionlevel This command options lets you set the scanning aggression level.
The Scanning Aggression Level defines the detection aggression level
for threat detection technologies.
-reportinsightinfo This command option decides if Insight information should be made

available in the response or not.
Example:
ssecls -api 2 -digitallysigned 1 -SHA256
63ac0ad9c9dbeffdba4dc07c3c685dce4d41a4169eb5efabf9347dd577d3270d -MD5Hash
62825AA34568DA314E60D2AC2ACD2181 -SourceIP "192.172.1.8"
-SourceURL"www.symantec.com" -reportinsightinfo 1 -aggressionlevel 2
c:\testfolder\test.exe

The Java based command-line scanner of Symantec Protection Engine uses the following
general syntax:
java -jar ssecls.jar [options] -f <file to scan>
The <file to scan> parameter lets you specify a file to scan. You can use the absolute or relative
path.
Note: Do not use a path with a symbolic link. Symantec Protection Engine does not follow a
symbolic link to a file.
You can specify any mounted file system, mount point, or mapped drive. For example:
C:\Work\Scantest.exe
/export/home/
Follow the standard formats for your operating system for handling path names (for example,
special characters, quotation marks, or wildcard characters).
You can only specify files for which you have appropriate permissions. To send files, you must
have read access to the files. To replace or delete files, you must have permission to modify
or delete the files. You must also have access to the directory where the files are located.
on page 231.
See “Supported command-line options for Java based command-line scanner” on page 248.
See “About specifying the Symantec Protection Engine IP address and port for Java based
command-line scanner” on page 251.
See “About specifying the antivirus scanning mode for Java based command-line scanner”
on page 252.
See “About obtaining scan results for Java based command-line scanner” on page 253.
See “About scanning files in Symantec Protection Engine using different services/APIs with
Java based command-line scanner” on page 254.
See “About using Insight command options with Java based command-line scanner”
on page 254.
Supported command-line options for Java based command-line

scanner
Table B-5 describes the options that the command-line scanner supports.
Table B-5 Supported options for the Java based command-line scanner
Option Description
-s, --server Specify one or more Symantec Protection Engines for scanning files.
You must separate multiple entries with a semicolon and the entries should be
in double quotes. If you do not specify a Symantec Protection Engine, the server
option defaults to the local host that listens on the default port.
The format for each Symantec Protection Engine is <IPaddress:port>, where

IPaddress is the DNS name or IP address of the computer on which Symantec
Protection Engine is running, and port is the port number on which Symantec
Protection Engine listens.
Note: When more than one Symantec Protection Engine is specified, the load
balancing and failover features of the API are activated automatically.
See “About specifying the Symantec Protection Engine IP address and port for
Java based command-line scanner” on page 251.
Table B-5 Supported options for the Java based command-line scanner (continued)
Option Description
-a, --action Optionally override the default antivirus scanning mode.

The scanning modes that you can select are as follows:
■ Scan
Files are scanned, but no repair is tried. Infected files are not deleted.
■ Scanrepair
Symantec Protection Engine tries to repair infected files. Files that cannot
be repaired are not deleted.
■ Scanrepairdelete
Symantec Protection Engine tries to repair infected files. Files that cannot
be repaired are deleted. This configuration is the recommended setting.
■ Default
If you do not specify a scanning mode, the scan policy defaults to the policy
set on the Symantec Protection Engine.
Note: Symantec Protection Engine version 8.1 does not support repair of infected
files.
See “About specifying the antivirus scanning mode for Java based command-line
-c, --clobber Always overwrites the scanned file with server response.
-b, --verbose Report detailed information about the file that is scanned.
is scanned. The information includes both the name of the file and the result of
the scan, including the final disposition of the file.
See “About using the --verbose option in the java based command-line scanner”
on page 253.
-p, --api The command-line scanner now includes services for supporting Insight, better
categorization of threats,and unscannable file handling features.
■ 0: Scan file with legacy API's.

■ 1: Scan file with APIs (enhanced threat categorization).
■ 2: Scan file with Insight API's.
See “About scanning files in Symantec Protection Engine using different

services/APIs with Java based command-line scanner” on page 254.
Option Description
-d, --disableinsight Disable the Symantec Insight feature.

Note: This service is applicable only if -p, --api = 2.
See “About using Insight command options with Java based command-line
-l, --aggressionlevel Set the scanning aggression level.

■ 0: Known Bad
■ 1: Low
■ 2: Medium
■ 3: High
-md5, --md5hash Specify the MD5 value of the file.

-sha, --sha256 Specify the SHA256 value of the file.

-i, --sourceip Specify the source IP of the file.

-u, --sourceurl Specify the source URL of the file.

Option Description
-n, --digitallysigned Specify if the file is digitally signed.

■ 0: File is not digitally signed.

■ 1: File is digitally signed.
-r, --reportinsightinfo Specify the Insight information for the file.

■ 0: Symantec Protection Engine does not provide reputation information in

ICAP response.
■ 1: Symantec Protection Engine provides information in ICAP response for
Insight convicted files.

port for Java based command-line scanner
The -server option lets you specify one or more Symantec Protection Engines for scanning
files. If you do not specify a Symantec Protection Engine, the server defaults to the local host
that listens on the default port.
The format for each Symantec Protection Engine entry is <IPaddress:port>, where IPaddress
is the DNS name or IP address of the computer on which Symantec Protection Engine is
running, and port is the port number on which Symantec Protection Engine listens. You only
need to specify the port number if Symantec Protection Engine is installed on a port other than
the default. (The default port number for ICAP is 1344.) For example:
java -jar ssecls.jar --server 192.168.0.100 -f c:\temp\abc.txt
java -jar ssecls.jar --server 192.168.0.100:5555 -f c:\temp\abc.txt
You can specify multiple Symantec Protection Engines. You must separate multiple entries
with a semicolon and you must enclose the entries in double quotes. For example:
java -jar ssecls.jar --server "192.168.0.100:1344;192.168.0.101:1344" -f

c:\temp\abc.txt
When more than one Symantec Protection Engine is specified, the load balancing and failover
features of the API are activated automatically. The Symantec Protection Engine API provides
scheduling across any number of computers that are running Symantec Protection Engine.
When multiple Symantec Protection Engines are used, the API determines which Symantec
Protection Engine should receive the next file based on the scheduling algorithm.
If a Symantec Protection Engine is unreachable or stops responding during a scan, another
Symantec Protection Engine is called. The faulty Symantec Protection Engine is taken out of
rotation for 30 seconds. If all of Symantec Protection Engines are out of rotation, the faulty
The API does not stop trying to contact Symantec Protection Engine unless any of the following
conditions occur:
■ At least five engines do not function
■ It appears that a file that was scanned might have caused more than one engine to stop
responding
About specifying the antivirus scanning mode for Java based

command-line scanner
The --action option lets you override the default antivirus scanning mode for the Java based
command-line scanner. The default scanning mode is the antivirus scan policy set on the
You do not need to specify an antivirus scanning mode to use the default setting.
Scanrepairdelete is the recommended setting.
To override the default antivirus scanning mode, you can specify one of the following scanning
modes using the -action option:
Scan Files are scanned, but no repair is tried. Infected files are not deleted.
Scanrepair Symantec Protection Engine tries to repair infected files. Files that cannot be
repaired are not deleted.
Scanrepairdelete Symantec Protection Engine tries to repair infected files. Files that cannot be
repaired are deleted.
For example:
java -jar ssecls.jar --server 192.168.0.100:1344 --action scanrepair -f

c:\temp\abc.txt
Note: Symantec Protection Engine version 8.1 does not support repair of infected files.
When files are sent to Symantec Protection Engine using Java based command-line scanner,
the command-line scanning mode overrides the scan policy configuration on Symantec
Protection Engine. This override includes scanning the files that are embedded in container
files. If you do not specify a scanning mode using the --action option, the default setting is the
antivirus scan policy set on Symantec Protection Engine.
About obtaining scan results for Java based command-line scanner

You can use the --verbose option to obtain detailed information about a scan.
See “About using the --verbose option in the java based command-line scanner” on page 253.
This option is not available if you use the pipe mode to send a file for scanning.
About using the --verbose option in the java based command-line

scanner
Use the --verbose option to obtain information about each file that is scanned. When this option
is used, a line of output is printed to STDOUT for each file. The information includes the name
of the file, the result of the scan, and the final disposition of the file. For example, consider the
following command:
java -jar ssecls.jar --server 192.168.0.100:1344 --verbose -f c:\work\filea
The output when a file scanned using the --verbose option should look similar to the following:
File Scanned: c:\work\filea
Scan Status: Clean
See “About obtaining scan results for Java based command-line scanner” on page 253.

services/APIs with Java based command-line scanner
Symantec Protection Engine now includes services for supporting Insight, better categorization
of threats and unscannable file handling features. These services provide Insight information,
additional threat information and unscannable file count in ICAP response. For more information,
see the Symantec Protection Engine Software Developer's Guide.
The -api option specifies what service to use to scan the file. The default setting is to use the
old API to scan files.
Table B-6 describes the options to scan file in Symantec Protection Engine.
Table B-6 Options to scan file in Symantec Protection Engine
Option Description
0 Scan file with legacy API's.

1 Scan file with enhanced threat categorization API's.
2 Scan file with Insight API's.
For example:
java -jar ssecls.jar --server 192.168.0.100:1344 --api 1 -f c:\temp\test.txt
java -jar ssecls.jar --server 192.168.0.100:1344 --api 1 -f /test.txt
About using Insight command options with Java based command-line

scanner
Table B-7 explains the insight-specific command options that can be set from the command-line
scanner at run time.
Note: The command options explained in Table B-7 are optional. To use these Insight command
options, make sure that you set the value of -api to 2.
Table B-7 Insight command options
Options Description
-d, --disableinsight This command option lets you specify if you want to enable/disable
Insight.
If Insight is disabled, all other Insight-specific command options are

ignored.
-n, --digitallysigned This command option lets you specify if the file is digitally signed or
not. By default, Symantec Protection Engine checks if the file is digitally
signed or not.
If the file is not digitally signed, it saves on the time that Symantec
Protection Engine takes to check the digital signature information. This
improves the Insight query performance.
-sha, --sha256 This command option lets you specify the SHA256 hash value of the
file. Symantec Protection Engine calculates the SHA256 value, if not
provided.
You may want to provide the SHA256 value to save on the time taken
to calculate the SHA256 value.
-md5, --md5Hash This command option lets you specify the MD5 hash value of the file.
If specified Symantec Protection Engine may use it for the Insight query.
-i, --sourceip This command option lets you specify the IP address of the source
from where the file is downloaded.
-u, --sourceurl This command option lets you specify the URL of the source from where
the file is downloaded.
-l, --aggressionlevel This command options lets you set the scanning aggression level.
The Scanning Aggression Level defines the detection aggression level

for threat detection technologies.
-r, --reportinsightinfo This command option decides if Insight information should be made
available in the response or not.
Example:
java -jar ssecls.jar --api 2 --digitallysigned 1 --sha256
63ac0ad9c9dbeffdba4dc07c3c685dce4d41a4169eb5efabf9347dd577d3270d --md5hash
62825AA34568DA314E60D2AC2ACD2181 --sourceip "192.172.1.8" --sourceurl
"www.symantec.com" --reportinsightinfo 1 --aggressionlevel 2 -f
c:\testfolder\test.exe
Appendix C
About editing configuration
data
■ About editing the Symantec Protection Engine configuration files
■ About configuration options
About editing the Symantec Protection Engine

configuration files
You can configure most of the options for Symantec Protection Engine through the Web-based
console. However, there are configuration options that are not available in the console that
you might need to reconfigure.
See “Before you install Symantec Protection Engine” on page 28.
You can change certain Symantec Protection Engine settings by modifying the data in the
XML files.
The XML files that you can modify are as follows:
configuration.xml Contains logging, the temporary directory location, protocol configurations, and
operating-system-specific settings
filtering.xml Contains settings for URL filtering, MIME, and container limits
liveupdate.xml Contains LiveUpdate options
policy.xml Contains access-denied and notification messages, extension policy and

extension lists, and Bloodhound scanning settings
In Linux, the default location for the XML files is /opt/SYMCScan/bin/.

About editing configuration data 258
About configuration options
Note: When you edit the configuration data, all high-ASCII and double-byte characters must
be written in UTF-8 encoding.
When you are finished with editing the settings in the XML files, you must stop and restart
Symantec Protection Engine. Changes to settings in the console (if any) appear the next time
that you open the console.
on page 41.
Warning: Several configuration options are not addressed here and should not be changed.
Changes to certain options can detrimentally affect product performance. For example, the
installation directory is specified at installation, and the product does not function if you change
this value.

To modify an XML file, you must know the XPath and the field values.
You can use the XML modifier command-line tool of Symantec Protection Engine to configure
the following options:
■ Configure the ICAP response in Symantec Protection Engine
See “Configure the ICAP response” on page 259.
■ Configure the ICAP preview option in Symantec Protection Engine
See “Configure the ICAP preview option” on page 260.
■ Configure the secure ICAP options
■ Enable client certificate verification
■ Control the dynamic thread pool
See “Control the dynamic thread pool” on page 262.
■ Disable the ICAP threshold client notification feature in Symantec Protection Engine
■ Change the LiveUpdate base time
■ Configure the LiveUpdate server details
■ Specify a replacement file name in Symantec Protection Engine
See “Specify a replacement file name” on page 267.

■ Specify archive file types to scan in Symantec Protection Engine
■ Modify the ICAP options attribute-list extension in Symantec Protection Engine

See “Modify the ICAP options attribute-list extension” on page 268.
■ Access scan error files in Symantec Protection Engine
See “Access scan error files” on page 269.
■ Disable automatic self-test scanning
See “Disable automatic self-test scanning” on page 269.
■ Enable nonviral threat categories information in Symantec Protection Engine
See “Enable nonviral threat categories information” on page 270.
■ Specify decomposer file size limit in Symantec Protection Engine
■ Specify maximum file size for extracted files in Symantec Protection Engine
See “Specify maximum file size for extracted files” on page 271.
■ Specify maximum cumulative file size for extracted files in Symantec Protection Engine
See “Specify maximum cumulative file size for extracted files” on page 271.
■ Specify maximum socket timeout value in Symantec Protection Engine
See “Specify the maximum socket timeout value” on page 272.
■ Specify file size threshold for scanning exclusion
See “Specify file size threshold for scanning exclusion” on page 272.
■ Include category information from ICAP response in URL filtering
See “Include category information from ICAP response in URL filtering” on page 273.
■ Enable sub-categories description
■ Enable threat categories information

See “Enable threat categories information” on page 273.
■ Specify file path exclusion for scanning in Symantec Protection Engine
See “ Specify file path exclusion for scanning in Symantec Protection Engine” on page 274.
■ Configuring the additional parameters of URL Reputation
See “Configuring the additional parameters of URL Reputation” on page 276.
See “Accessing the XML modifier command-line tool” on page 177.
Configure the ICAP response

If your client uses ICAP, you can configure the ICAP response option.
You might need to adjust this setting depending on the ICAP 1.0 application for which Symantec
Protection Engine provides scanning services. The default setting is to send an "access denied"
message when a file is blocked. However, some ICAP 1.0 applications are configured to
receive the ICAP 403 response instead.
Table C-1 lists the ICAP response settings.
Table C-1 ICAP response settings
XPath Field values Default setting
/configuration/ProtocolSettings/ ■ False True

ICAP/ICAPResponse/@value Send access denied message or
ICAP 403 response.
■ True
Send a replacement file.
Configure the ICAP preview option

The ICAP preview option specifies whether to send the transfer headers based on the extension
list or to send a header to preview all.
Table C-2 lists the ICAP preview settings.
Table C-2 ICAP preview settings
/configuration/ProtocolSettings/ICAP/ ■ False True

ICAPPreviewAll/@value Send the transfer headers based
on the Symantec Protection Engine
extension lists.
■ True
Send a transfer-preview header
indicating preview all.
Configure the secure ICAP options

To use secure ICAP communication, you must configure secure ICAP parameters in the
configuration.xml.
Pre-requisite to enable secure ICAP:
■ Private key file

■ Private key pass phrase if private key is password protected or keep it blank.
■ Server certificate file (also known as public key)
■ Cipher list if any specific cipher is needed, otherwise default is already configured.
The configuration file parameters for secure ICAP are as follows:
SecureICAPPort Specify the port number to use secure ICAP. Default secure ICAP port is
11344.
PrivateKeyFile Specify Symantec Protection Engine server's private key file.
PrivateKeyPassPhrase Set the value in encrypted form.
It encrypts and sets plain text private key pass phrase value in
configuration.xml file.
CertificateFile Specify the Symantec Protection Engine server certificate file name.
Cipher List Configure the cipher list.
Default cipher list:
"ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,
ECDHE-RSA-AES128-SHA256,ECDHE-RSA-AES256-SHA384,AES128-GCM-SHA256,
AES256-GCM-SHA384,AES128-SHA256,AES256-SHA256"
Table C-3 Secure ICAP settings
xPath Field values Default setting
/configuration/ProtocolSettings/ICAP/ ■ False False

SecureICAP/@enabled Disable secure ICAP.
■ True
Enable secure ICAP.
/configuration/ProtocolSettings/ICAP/ Integer from 0 through 65535 11344

SecureICAP/SecureICAPPort/@value
/configuration/ProtocolSettings/ICAP/ Symantec Protection Engine NA

SecureICAP/PrivateKeyFile/@value server's private key file.
/configuration/ProtocolSettings/ICAP/ Encrypt and set plain text private NA

SecureICAP/PrivateKeyPassPhrase/@value key pass phrase.
/configuration/ProtocolSettings/ICAP/ Symantec Protection Engine server NA

SecureICAP/CertificateFile/@value certificate file.
Table C-3 Secure ICAP settings (continued)
/configuration/ProtocolSettings/ICAP/ Comma separated cipher list in Default list

SecureICAP/CipherList/@value OpenSSL supported format.
Enabling client certificate verification

You can enable client certificate verification if you have enabled secure ICAP.
Pre-requisite to enable client authentication:
■ CA certificate file that is used to sign client’s certificate.
■ Optionally, you can provide CA certificate file path for CA certificates in .PEM format.
Table C-4 Client certificate verification settings
/configuration/ProtocolSettings/ICAP/ ■ False False

SecureICAP/ClientCertificateVerification/@enabled Disable client certificate
verification.
■ True
Enable client certificate
verification.
/configuration/ProtocolSettings/ICAP/ Client CA certificate file. None

SecureICAP/ClientCertificateVerification/
ClientCACertificateFile/@value
/configuration/ProtocolSettings/ICAP/ Directory that contains CA None

SecureICAP/CACertFilePath /@value certificate in PEM format
Control the dynamic thread pool

The pool of scanning threads that is available to Symantec Protection Engine for antivirus
scanning dynamically adjusts to the load that is processed. You can change several parameters
to control the dynamic thread pool.
Note: To disable dynamic thread pool management and use a fixed thread pool size, use the
same number of scanning threads that you set for the fixed thread pool for both the MinThreads
and MaxThreads parameters. You must configure the maximum threads in the console.
The configuration file parameters for controlling the dynamic thread pool are as follows:
MinThreads The minimum number of scanning threads that is created at startup time
and the minimum to keep alive regardless of the load that is processed.
The default settings depends on the number of cores of the processor.
The MinThreads value cannot be greater than the MaxThreads value.

(Symantec Protection Engine does not validate the value that you input to
ensure that it is lower than the MaxThreads value.) If the MinThreads value
is greater than MaxThreads value, Symantec Protection Engine generates
the minimum thread pool based on the MinThreads value, regardless of
MaxThreads value. As a result, the "Active threads" value and the "Waiting
threads" value on the Reports > Resources page would be greater than
"Thread pool size" value.
GrowThreadCount The GrowThreadCount is number of scanning threads to add when the

existing threads cannot handle the load that is processed.
The default setting is 4. The GrowThreadCount value must be larger than

the ShrinkThreadCountvalue. Reasonable values are in the range of 0 to
16.
Note: You consume resources when you create new threads. After you
create threads (GrowThreadCount), only make modifications when
necessary. Remove threads (ShrinkThreadCount) more slowly than you
add threads. In this way, you do not consume additional resources such as
happens when you create new threads in a short period of time.
ShrinkThreadCount The number of scanning threads to remove when more threads are running
than are needed for the load that is processed.
The default setting is 2. The ShrinkThreadCount value must be smaller than

the GrowThreadCount value.
BusyRequestCount The number of queued requests to be processed by scanning threads,

which triggers the creation of more scanning threads.
The default setting is 4. The BusyRequestCount value cannot be less than

2.
IdleThreadCount The number of idle scanning threads, which triggers the removal of scanning
threads.
The default setting is 6.
SecondsBetweenChecks The number of seconds between evaluations of the thread pool activity.
The default setting is 5 seconds. This value cannot be smaller than 2.

Note: Because thread pool activity is checked at the frequency that is
specified for the SecondsBetweenChecks parameter, changes to the thread
pool size occur at the same frequency.
Table C-5 lists the dynamic thread pool settings.
Table C-5 Dynamic thread pool settings
/configuration/Resources/System/ Integer between 0 - 512 Depends on the

MinThreads/@value number of cores of
the processor.
/configuration/Resources/System/ Integer between 0 - 16 4

GrowThreadCount /@value

ShrinkThreadCount/@value
/configuration/Resources/System/ Integer 0 or greater 4

BusyRequestCount/@value

IdleThreadCount/@value
/configuration/Resources/System/ Integer 2 or greater 5

SecondsBetweenChecks/@value
Disable the ICAP threshold client notification

Symantec Protection Engine sends a notification to the specified logging destinations when it
reaches scan queued requests threshold. If your client uses ICAP, Symantec Protection Engine
also rejects the scan request and sends a notification to the client. This feature lets the client
determine load balancing and prevents the server from being overloaded with scan requests.
If you disable the client notification feature, Symantec Protection Engine continues to send
messages to the specified logging destinations when the threshold is met. The "Log or send
alert for maximum load every <n> minutes" setting applies only to SMTP alerts.
Note: For logging to occur at maximum load, the logging level for the logging destination must
be set to Warning or higher.

See “ICAP return codes” on page 278.
Table C-6 lists the threshold client notification settings.
Table C-6 Threshold client notification settings
/configuration/ProtocolSettings/ ■ False True

EnableServerTooBusyResponse/@value Disables the ICAP threshold client
notification.
■ True
Enables the ICAP threshold client
notification.
Change the LiveUpdate base time

You can change the relative start time (or LiveUpdate base time) from which to calculate
scheduled LiveUpdate tries. If you change the LiveUpdate base time, the LiveUpdate tries are
scheduled every LiveUpdateSchedule seconds after the base time. The default LiveUpdate
base time is the time at which Symantec Protection Engine was installed.
See “Configuring LiveUpdate to occur automatically” on page 165.
The LiveUpdate base time is specified in UTC seconds since 00:00:00 January 1, 1970.
Table C-7 lists the LiveUpdate base time settings.
Table C-7 LiveUpdate base time settings
/liveupdate/Schedule/BaseTime Integer 0 or greater <install time>

/@value

Configure the LiveUpdate server details

You are asked to enter the LiveUpdate server details only in case of an upgrade with preserve
settings option. However, you can change the values of the LiveUpdate server after the
installation. In case of a fresh install or a clean upgrade, the LiveUpdate server details in the
liveupdate.xml file will be the same as the details in the liveupdate.xml file shipped in the
installer.
After a preserve settings upgrade, the liveupdate.xml file will contain some of the required
settings that you set during the installation or in the form of silent parameters in case of a silent
installation. You can set the following parameters at the time of installation:
■ Server Name
■ Server Port
■ Server Path
■ Server Proxy Name
■ Server Proxy Port
Note: In the case of a new installation or a clean upgrade installation, you can edit the
liveupdate.xml file after the installation.
Table C-8 lists the LiveUpdate server parameters.
Table C-8 LiveUpdate server parameters
XPath Field values Default values
/liveupdate/UpdateServer/Protocol/@value http, https http
/liveupdate/UpdateServer/Server/@value The server name or IP address liveupdate.

symantec.com
/liveupdate/UpdateServer/Port/@value Integer from 0 through 65535 80
443 (for HTTPS)
/liveupdate/UpdateServer/Path/@value The directory on the LiveUpdate NA

server that contains the
LiveUpdate packages
/liveupdate/UpdateServer/UserName/@value The user name to log on to the NA

LiveUpdate server
Table C-8 LiveUpdate server parameters (continued)
/liveupdate/UpdateServer/Password/@value The password to log on to the NA

LiveUpdate server
Table C-9 lists the LiveUpdate proxy server parameters.
Table C-9 Proxy server parameters
/configuration/ProxyServerSettings/ The proxy server name or IP NA

ServerName/@value address
/configuration/ProxyServerSettings/ Integer from 0 through 65535 0

ServerPort/@value
/configuration/ProxyServerSettings/ The user name to log on to the NA

UserName/@value proxy server
/configuration/ProxyServerSettings/ The password to log on to the NA

Password/@value proxy server
Note: If you change any of the values related to the LiveUpdate server in the liveupdate.xml
file, you will need to restart the Symantec Protection Engine service.
Note: LiveUpdate proxy configuration supports the basic authentication only.
Specify a replacement file name

Use this option to specify the name of the attachment file that is returned when Symantec
Protection Engine deletes a file. The replacement file contains a message that indicates the
name of the deleted file and why it was deleted.
Table C-10 lists the replacement file name settings.
Table C-10 Replacement file name settings
/filtering/Container/ Any valid file name. DELETED%.TXT

ReplacementFilename/@value
The percentage mark (%) is a
sequence number. For example,
if two attachments are deleted,
the replacement files are called
DELETED0.TXT and
DELETED1.TXT.
Modify the ICAP options attribute-list extension

To list all of the categories that are available for URL filtering, Symantec Protection Engine
uses the Attribute-List response body extension in a response to an ICAP OPTIONS request.
This extension is formally specified in the ICAP Extensions Internet Draft, section 5.2.
To use this extension, an OPTIONS response must specify the header
Encapsulated:opt-body=0. Not all ICAP clients recognize the opt-body encapsulation, so
Symantec Protection Engine makes the opt-body and Attribute-List optional. However, they
are included by default.
To make it possible to disable their use, the OptBodyAllowed option is included in the
configuration settings. If the OptBodyAllowed value is set to true (the default setting), then
Attribute-List is included in OPTIONS responses. If the OptBodyAllowed value is set to false,
then Attribute-List is not included in OPTIONS responses. If OptBodyAllowed is set to false,
an ICAP client that wants to use the URL filtering in audit mode cannot obtain the list of filtering
categories that are available.
Table C-11 lists the OptBodyAllowed header settings.
Table C-11 OptBodyAllowed header settings
/configuration/protocol/ICAP/ ■ True True

OptBodyAllowed/@value Returns the list of categories.
■ False
Does not return a list of
categories.

Access scan error files

By default, Symantec Protection Engine blocks files that produce an Internal Server Error. You
can modify the AllowAccessOnScanError command to permit access to these files.
When you enable this setting, a Warning level log event is generated each time access is
permitted to files that produced an Internal Server Error. This log event is sent to all logging
destinations except SNMP.
This command applies to the ICAP protocol only. For ICAP, the client must permit the Allow:
204 ICAP header return code with the request.
Table C-12 lists the AllowAccessOnScanError settings.
Table C-12 AllowAccessOnScanError settings
/policies/ThreatPolicies/Actions/ ■ False False

AllowAccessOnScanError/@value Prohibits an access to the files that
are blocked by the Internal Server
Error result.
■ True
Permits an access to the files that
are normally blocked by the
Internal Server Error result.
Disable automatic self-test scanning

If your client uses the ICAP protocol, Symantec Protection Engine installs with a self-test
scanning feature. Symantec Protection Engine performs a test every minute to check whether
it is responsive and able to scan files. A test file is sent for Symantec Protection Engine to
scan. If Symantec Protection Engine does not respond with a scan result before the timeout
period expires, a Warning message is logged. Each self-test scan occurs 1 minute after the
last self-test scan finishes.
Disable this feature if any of the following conditions apply:
■ You do not want the automatic self-testing scanning events to be logged to the specified
logging destinations.
■ You configure Symantec Protection Engine to send alerts for Warning level events, but
you do not want alerts about this event.
Table C-13 lists the selfscantest settings.
Table C-13 selfscantest settings
/configuration/Miscellaneous/ ■ True True

SelfScanTest/@enabled Self-scan testing is enabled.
■ False
Self-scan testing is disabled.
Enable nonviral threat categories information

The ICAP response headers that Symantec Protection Engine uses indicate the total number
of violations that are found in the scanned data. If violations are detected, a series of indented
lines that contain information about each violation follow the header.
By default, Symantec Protection Engine does not send the threat category name in the ICAP
response header. However, you can modify the EnableNonViralThreatCategoryResp value
to include the threat category name in the header.
When enabled, the field in the response header appears as "ThreatDescription" and contains
the threat category name. The threat category name is appended to the virus name with a
delimiter pipe; for example, ThreatDescription =
<VirusName>|NonViralThreat=<CategoryName>.
After you modify the default setting using the command-line tool, restart the Symantec Protection
Engine service.
on page 41.
For more information about ICAP response headers, see the Symantec Protection Engine
Software Developer's Guide.
Table C-14 lists the EnableNonViralThreatCategoryResp settings.
Table C-14 EnableNonViralThreatCategoryResp settings
/configuration/ProtocolSettings/ICAP/ ■ True False

EnableNonViralThreatCategoryResp/ Symantec Protection Engine
@value sends the nonviral threat category
name.
■ False
Symantec Protection Engine does
not send the nonviral threat
category name.
Specify maximum file size for extracted files

Use this parameter to specify maximum file size for the individual files that can be extracted
on disk and in memory in Symantec Protection Engine. The MaxExtractSize parameter
accepts a value in MB. The maximum extract file size that you can specify for individual files
in tar, rar, and zip containers is 131072 MB (approximately 128 GB). For other containers, you
can specify a maximum extract file size of 1907 MB (approximately 2 GB) for its individual
files.
For example, if you specify 20480 MB as the maximum limit, then the decomposer can extract
individual files each of size up to 20480 MB from top level container file of type tar, rar, and
zip. For any other top level container file type, the limit is still 1907 MB.
Table C-15 lists the extracted file size settings
Table C-15 Maximum file size for extracted files
/filtering/Container/MaxExtractSize/@value 0 through 131072 100
Type 0 to disable this setting
Specify maximum cumulative file size for extracted files

Use this parameter to specify the maximum cumulative file size for extracted files. Symantec
Protection Engine calculates the cumulative file size after each file is extracted. This parameter
stops the recursive scanning of individual files once this file size limit is reached. Once the
maximum limit is reached, the remaining files in the container are not extracted.
The MaxCumulativeExtractSize parameter accepts a value in bytes. The maximum limit you
can enter is 137438953471 bytes (approximately 128 GB). A value of zero (0) disables this
optimization setting.
Table C-16 lists the settings to configure maximum cumulative file size for extracted files.
Table C-16 Maximum cumulative file size for extracted files
/filtering/Container/ MaxCumulativeExtractSize/ Accepts a value in bytes 0

@value
Type 0 to disable this setting.
Specify the maximum socket timeout value

Typically, a client sends a file to Symantec Protection Engine to scan over a socket and
Symantec Protection Engine returns a response after it is scanned over the same socket. The
total time to send the file and receive the response depends upon the file size. The larger the
file, the longer Symantec Protection Engine takes to decompose and scan the file. So it takes
longer for the response to reach the client. If you specify a small value for socket timeout, a
socket timeout error gets generated. You can specify a larger socket timeout value to avoid
the socket timeout error.
The maximum socket timeout value that you can enter is 4320 minutes (72 hours) while the
default value is 5 minutes.
Table C-17 lists the maximum socket timeout value.
Table C-17 Maximum socket timeout value
/configuration/Resources/ Accepts a value in minutes 5

System/SocketTimeOut/ @value
Specify file size threshold for scanning exclusion

Use this parameter to specify the file size that can be excluded from scanning. The files greater
than or equal to the specified value are not scanned. Symantec Protection Engine reports the
file as clean and sends an ICAP response code 200 OK. It also logs that the file was bypassed
from scanning and the number of requests are incremented by 1. The FileSizeScanThreshold
parameter is supported in ICAP FILEMOD only. The FileSizeScanThreshold parameter

accepts values in bytes.
Table C-18 Maximum value to exclude files from scanning
/filtering/FileAttribute/ Integer 0 or greater 0

FileSizeScanThreshold/@value
Include category information from ICAP response in URL filtering

Use this option to include category information from ICAP response when URL is scanned.
Table C-19 EnableCategoryTypeInICAPResponse settings
/configuration/ProtocolSettings/ICAP/ ■ True False

EnableURLCategoryTypeInICAPResponse/ category information (Local / Vendor)
@value is present in ICAP response when
URL is scanned.
■ False
Category information is not present
in ICAP response when URL is
scanned.
Enable threat categories information

The ICAP response headers that Symantec Protection Engine uses indicate the total number
of violations that are found in the scanned data. If violations are detected, a series of indented
lines that contain information about each violation follow the header.
By default, Symantec Protection Engine does not send the threat category name in the ICAP
response header. However, you can modify the EnableThreatCategoryResp value to include
the threat category name in the header.
When enabled, the field in the response header appears as "ThreatDescription" and contains
the threat category name. The threat category name is appended to the virus name with a
delimiter pipe; for example, ThreatDescription =
<VirusName>|NonViralThreat=<CategoryName>.
After you modify the default setting using the command-line tool, restart the Symantec Protection
Engine service.
Table C-20 EnableThreatCategoryResp settings
/configuration/ProtocolSettings/ ■ True True

ICAP/EnableThreatCategoryInformation Symantec Protection Engine
/@value sends the threat category
name.
■ False
Symantec Protection Engine
does not send the threat
category name.
Note: This parameter is only applicable with new ICAP services introduced in Symantec
Protection Engine version 7.0 and later. For more information, see the Symantec Protection
Engine Software Developer's Guide.
Specify file path exclusion for scanning in Symantec Protection

Engine
You can select the files to be excluded from scanning by specifying the file path. Symantec
Protection Engine excludes files from scanning based on the location of the files.
Note: A maximum of 32 file paths can be excluded from scanning.
Table C-21 lists the file path exclusion scanning settings.
Table C-21 File path exclusion scanning settings
XPath Field value Default setting
/filtering/FileAttribute/ A valid field value. None

DenyFilePaths/items/item/@value
Note: The file path is case sensitive and
each file path must be at a separate line.
To add an exclusion file path

1 Create a .txt file with the list of file paths to be used by Symantec Protection Engine that
are to be excluded from scanning.
Note: The file paths are case sensitive and each file path must be at a new line.
Also, the file paths must be unique. The xmlmodifier command does not check for duplicate
file path entries.
2 Save the file to your system.

xmlmodifier -b //filtering/FileAttribute/DenyFilePaths <Path of a text
file containing list of exclude file> filtering.xml
For example: xmlmodifier -b //filtering/FileAttribute/DenyFilePaths

F:\Path_list.txt filtering.xml
where F:\Path_list.txt contains the following file paths:

■ C:\testfiles\
■ F:\test\
■ \\10.217.1.2\ONTAP_ADMIN$\vol\vol0\home\test\abc\
Note: The file path can include the name of the file too. For example,
C:\testfiles\abc.txt, which means that only the abc.txt file in the testfiles folder is
excluded from scanning.

To manually modify/delete an exclusion file path
1 Open the filtering.xml file and manually delete the file path that needs to be modified.
2 Save the file.
3 Add the new file path to the .txt file, and save the file.
Note: The file paths must be unique. The xmlmodifier command does not check for
duplicate file path entries.


To modify/delete an exclusion file path using the xmlmodifier command
xmlmodifier -r //filtering/FileAttribute/DenyFilePaths/items filtering.xml
Note: This command removes all the file paths.
2 Add the new file paths to the .txt file, and save the file.
Note: The file paths must be unique. The xmlmodifier command does not check for
duplicate file path entries.


Configuring the additional parameters of URL Reputation

Apart from the basic URL Reputation configurations, you can configure the following parameters
as per the requirements.
■ Enable match exact URLs only option
■ Configure the reputation level
■ Configure the confidence level
Table C-22
/filtering/URLReputation/ ■ true false

MatchExactURLsOnly/@value Match Exact URLs Only
parameter is enabled.
■ false
Match Exact URLs Only
parameter is disabled.
/filtering/URLReputation/Threshold/@reputation ■ 1 to 10 8
<value>
//filtering/URLReputation/Threshold/@confidence ■ 1 to 5 4
<value>
Appendix D
Return codes
■ ICAP return codes
ICAP return codes

The following return codes are generated for ICAP version 1.0:
■ 100 Continue.
■ 200 OK.
■ 201 Created.
■ 204 No content necessary.
■ 400 Bad request.
■ 403 Forbidden. Infected and not repaired.
■ 404 Not found.
■ 500 Internal server error.
■ 502 Bad gateway.
■ 505 ICAP version not supported.
■ 506 Server too busy.
■ 551 Resource unavailable.
■ 558 Aborted - no scanning license.
Appendix E
Common LiveUpdate error
codes
■ Common LiveUpdate error codes
Common LiveUpdate error codes

Table E-1 lists the most common LiveUpdate error codes and their description
Table E-1 Common error codes
Error code Description
24 No update available post rollback unless the new set of definitions are available.
27 Update aborted. Timeout reached.
28 Update aborted. Download Failed.
29 Update aborted. Another LiveUpdate session is in progress.
30 Error connecting to update server.
31 Error while downloading specified component.
35 LiveUpdate session canceled.
41 Invalid product name while performing LiveUpdate.
42 LiveUpdate download and transport related errors.
48 LiveUpdate aborted due to low or no disk space.
55 Server selection failed.

Common LiveUpdate error codes 280
Common LiveUpdate error codes
Table E-1 Common error codes (continued)
Error code Description
62 LiveUpdate is unable to find a valid license for requested feature update.

Index
Symbols console (continued)

.zip files. See container files accessing 43
configuring interface settings 47
port number 47
A server address 47
ActiveX 79 SSL port number 47
alerts 151 timeout 47
See also logging container files
about 151 encrypted container file 92, 190
intervals, maximum load 58 handling unscannable files 91
outbreak notifications 153, 216 setting processing limits 113, 202
SMTP 151, 212 content categories 131
SNMP 152, 214 See also HTTP filtering
antivirus. See threats See also local categories
auto-refresh 161 content license 63
core server only mode 172
B create new user accounts
bind address options 51
ICAP 76, 181 process 51
log 145, 207
D
C DBCS path names 232
certificate file 45 definitions
Certificate Import Utility 45 about 163
command-line scanner types 163
about 230 updating
file scanning 231 using LiveUpdate 164
installing 231 delete user accounts
IP address and port 238 options 55
options 234 process 55
recursive scanning 243 dynamic thread pool 58
redirecting console output 245
scanning mode 239 E
scanning results 240 edit user accounts
supported platforms 231 options 53
supported protocol 231 process 53
syntax and usage 232 email, filtering by
configuration data 257 file name 87, 185
configuration.xml 257 file or attachment size 89, 187
console 257 maximum mail size 113, 201
See also XML modifier command-line tool events, logging 142
Index 282
F license (continued)
filtering. See HTTP filtering and email, filtering by content license 63
filtering.xml 257 locating the serial number 65
fulfillment ID 68 product 68
product license 63
licensing
H about 63
home page activating 65
auto-refresh 161 checking status 68
scanning summary 159–160 license file
HTTP filtering installing 66
about 118 obtaining 65
customizing the access denied message 138, removing 67
206 types of licenses 63
local categories 131 Linux
modes 132 installing Symantec Protection Engine 34
URL categories 118 stopping and starting service 41
HTTPS server 44–45 uninstalling 62
upgrading Symantec Protection Engine 37
I LiveUpdate
ICAP about 164
about 75 definitions, Symantec update frequency 164
bind address 76, 181 licensing requirement 63
command-line scanner, using 230 logs 167
configuring 76, 181 rolling back definitions 169
port number 76, 181 updating definitions
quarantining files 85 automatically 165, 219
return codes 278 on demand 166
scan policy 76, 181 LiveUpdate error codes 279
supported services 74 liveupdate.xml 257
installation load 102
authentication modes 33 load balancing 17
command-line scanner 231 local categories 131
on Linux 34, 37 See also content categories
preparing for 28 See also HTTP filtering
Intelligent Update about 131
definitions, Symantec update frequency 164 managing 134
local logging
J configuring 147, 208
exporting data 157
JRE (Java Runtime Environment) 28
managing local logs 155
purging log files 148, 210
K statistics reporting 149, 211
keys 45 viewing data 156
keystore 45 logging 151
See also alerts
L about 141
license changing log file location 147, 209
content 68 configuring local logging 146
Index 283
logging (continued) queue size 58

destinations 141
levels and events 142 R
outbreak alerting 153, 216
recursive scanning 243
purging log files 148, 210
resource 102
reporting functions 155
resource consumption 102, 104, 200
SMTP alerts 151, 212
log file 105
SNMP alerts 152, 214
return codes
statistics reporting 149, 211
ICAP 278
viewing statistic logs data 158
risks. See threats and security risks
RPC
M quarantining files 85
mail filter policy, blocking by supported services 74
file name 87, 185
individual file size 89, 187 S
total file or message size 113, 201
scan policy 182
mail message update feature 87, 185
scanning 240
multiple user accounts 51
See also command-line scanner
See also HTTP filtering
N See also threats
notifications improving performance 110, 113, 201
configuring 146 scanning summary 159–160
logging 141 scanning thread 102
scans
O licensing requirements 63, 68
specifying temporary scanning directory 58
outbreak alerts 153, 216
security notice
about 57
P enable or disable 57
PFX certificate file 45 self-test scanning 269
PKCS#12 certificate file 45 serial number 65
policy.xml 257 silent installation
port number, configuring creating response file 224
ICAP 76, 181 generating encrypted password 229
POST transactions 75 initiating installation
process priority 102 Linux 229
processing limits 113, 202 installing
product Linux 223
license 63, 68 SMTP alerts
protection, updating alert bind address 145, 207
using LiveUpdate 164 configuring 151, 212
protocol SNMP alerts
supported protocols 73 alert bind address 145, 207
supported services 74 configuring 152, 214
SSL (Secure Socket Layer) 45
Q Symantec Insight™ 95
Quarantine 85 aggression level 95, 196
quarantine 82, 184 Enabling Symantec Insight 195
Index 284
Symantec Protection Engine URL filtering (continued)

allocating resources 58 local categories 131
configuring using XML modifier command-line See also
tool 257 modes 132
installing 32 URL categories 118
starting and stopping the daemon 41 user accounts
types of risks detected 79 about 51
system requirements 29 Administrator 51
create 51
T delete 55
edit 53
telemetry 22
logs 51
temporary scanning directory
managing 51
specifying 58
maximum number 51
third-party certificate 45
view 56
thread pool
user notifications
maximum threads 58
customizing 93, 138, 191, 206
XML modifier command-line tool 262
UTF-8 encoding 133, 205, 257
threats 79, 113, 202
See also command-line scanner
See also container files V
blocking by view user accounts
file name 87, 185 process 56
individual file size 89, 187 visible details 56
category 80 virus 79, 113, 202
enabling detection 82 See also command-line scanner
handling encrypted container files 92, 190 See also container files
handling unscannable files 91 blocking by
impact levels 80 file name 87, 185
quarantining files 85 individual file size 89, 187
quarantining infected files 184 enabling detection 82
testing detection capabilities 84 handling encrypted container files 92, 190
handling unscannable files 91
U quarantining files 85
quarantining infected files 184
uninstallation 62
testing detection capabilities 84
unscannable container files 91
encrypted container file 92, 190
unscannable files 91–92, 190 X
upgrade 28 XML modifier command-line tool
URL (Uniform Resource Locator) 117 accessing 177
URL categories configuration options 258
about 118 file locations 257
denying access 133, 205
overriding URL categories 137
predefined categories 118
URL filtering
about 118
customizing the access denied message 138,
206

SPE CS Implementation Guide

Uploaded by

Copyright:

Available Formats

You might also like

SPE CS Implementation Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SPE CS Implementation Guide

Uploaded by

Copyright:

Available Formats

Symantec™ Protection Engine

for Cloud Services 8.1

Knowledge Base Articles and Symantec Connect

Technical Support and Enterprise Customer Support

Symantec Support .............................................................................................. 4

About Symantec™ Protection Engine for Cloud Services ...................... 12

Chapter 2 Installing Symantec Protection Engine .......................... 28

Allocating resources for Symantec Protection Engine .................... 58

Chapter 3 Activating licenses .............................................................. 63

Chapter 4 Configuring scanning services for client

Chapter 5 Protecting against risks ..................................................... 79

About Symantec Insight™ .............................................................. 95

Chapter 6 Monitoring and tuning the performance of

Chapter 7 Filtering URLs ..................................................................... 117

Chapter 8 Logging data, issuing alerts, and generating

About logging data ...................................................................... 141

Enabling statistics reporting in Symantec Protection Engine .......... 149

Chapter 9 Keeping your product up to date ................................... 163

Appendix A Performing a silent installation ...................................... 223

Appendix B Using the Symantec Protection Engine

Appendix C About editing configuration data ................................... 257

Enabling client certificate verification ........................................ 262

Appendix D Return codes ...................................................................... 278

ICAP return codes ...................................................................... 278

Appendix E Common LiveUpdate error codes .................................. 279

Index ................................................................................................................... 281

■ About Symantec™ Protection Engine for Cloud Services

■ About Centralized Console

■ What's new in Symantec Protection Engine 8.1

■ What's changed in this release

■ Components of Symantec Protection Engine

■ How Symantec Protection Engine works

■ What you can do with Symantec Protection Engine

■ Where to get more information

■ Information collected by Symantec Protection Engine

■ Onboarding to a centralized cloud console

About Symantec™ Protection Engine for Cloud

About Centralized Console

What's new in Symantec Protection Engine 8.1

Table 1-1 New features

Improved efficacy with the help of AML, x86 PE Emulator,

What's changed in this release

Table 1-2 Excluded from this release

Malware repair Malware repair is not supported in this release.

Insight details ■ ICAP changes

Table 1-2 Excluded from this release (continued)

See “Inactive XPaths” on page 177.

Components of Symantec Protection Engine

Table 1-3 Product components

Component Description Folder name

Command-line scanner The software that acts as a client to Command_Line_Scanner\

Table 1-4 Product components

Component Description Folder name

Symantec Central The tool that you use to quarantine Tools\Central_Quarantine\

MIB file The Management Information Base Tools\MIB\symantecprotection

Centralized Log Collection Use centralized log collection utility to Tools\Centralized_Log_Collection_Utility

How Symantec Protection Engine works

■ Client-side application programming interface (API) .Net library